How to fix CVE-2025-52921?

Within 24 hours: Inventory all Innoshop deployments and restrict admin panel access to trusted networks only. Within 7 days: Disable the File Manager feature in the admin panel or implement Web Application Firewall rules to block rename operations on uploaded files. Within 30 days: Evaluate migration to alternative e-commerce platforms or await vendor patch release; conduct forensic analysis of admin activity logs for signs of exploitation.

Is PHP affected by CVE-2025-52921?

Innoshop versions through 0.4.1 contain a critical vulnerability allowing authenticated administrators to execute arbitrary code on servers through file upload manipulation, with no available patch.

CVE-2025-52921

EUVD-2025-18868 CRITICAL

2025-06-23 [email protected]

PHP RCE

9.9

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 22:10 euvd

EUVD-2025-18868

Analysis Generated

Mar 15, 2026 - 22:10 vuln.today

CVE Published

Jun 23, 2025 - 12:15 nvd

CRITICAL 9.9

DescriptionNVD

In Innoshop through 0.4.1, an authenticated attacker could exploit the File Manager functions in the admin panel to achieve code execution on the server, by uploading a crafted file and then renaming it to have a .php extension by using the Rename Function. This bypasses the initial check that uploaded files are image files. The application relies on frontend checks to restrict the administrator from changing the extension of uploaded files to .php. This restriction is easily bypassed with any proxy tool (e.g., BurpSuite). Once the attacker renames the file, and gives it the .php extension, a GET request can be used to trigger the execution of code on the server.

AnalysisAI

A remote code execution vulnerability in Innoshop (CVSS 9.9). Critical severity with potential for significant impact on affected systems.

Technical ContextAI

Vulnerability type: remote code execution. CVSS 9.9 indicates critical severity with likely remote exploitation vector. Affects Innoshop.

RemediationAI

Monitor vendor channels for patch availability.

CVE-2025-52921 vulnerability details – vuln.today

Back