CVE-2025-58449: 
PHP vulnerability analysis and mitigation

Maho, a free and open source ecommerce platform, disclosed a high-severity vulnerability (CVE-2025-58449) affecting versions prior to 25.9.0. The vulnerability was discovered on September 7, 2025, and involves an authenticated remote code execution risk through file upload functionality (GitHub Advisory).

The vulnerability allows an authenticated staff user with Dashboard and Catalog\Manage Products permissions to create a custom option on a product listing with a file input field. By configuring the allowed file extensions to include .php, an attacker can upload malicious PHP files to gain remote code execution. The uploaded files are stored in a predictable location under /public/media/custom_options/ and are directly accessible via HTTP requests. The vulnerability has received a CVSS v4.0 base score of 8.7 (High) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H (GitHub Advisory).

The vulnerability enables remote code execution (RCE) on the server, allowing attackers to execute arbitrary PHP code within the webroot. This can lead to complete system compromise, despite requiring authenticated access with specific permissions. The high CVSS score reflects the severe potential impact on system confidentiality, integrity, and availability (GitHub Advisory).

The vulnerability has been patched in Maho version 25.9.0. The fix implements enhanced file extension security validation for product custom options, preventing the upload of dangerous file types. The patch enforces a whitelist of allowed extensions and blocks potentially malicious extensions including php, php3, php4, php5, php7, php8, phtml, phar, exe, bat, cmd, com, scr, vbs, js, jar, py, pl, rb, sh, asp, aspx, jsp, and cgi (GitHub Commit).