No Patch, Full Exploit: CVSS 9.9 RCE & IDOR Flaws in InnoShop eCommerce Platform

Security researcher TheHiker disclosured three serious vulnerabilities in InnoShop, an open-source eCommerce system built on Laravel 12.

These issues—ranging from insecure direct object references (IDOR) to full remote code execution (RCE) and path traversal—affect all versions up to and including v0.4.1, and have been assigned the following CVEs:

• CVE-2025-52920 (CVSS 6.4) — IDOR vulnerabilities in the frontend shop
• CVE-2025-52921 (CVSS 9.9) — RCE via file rename and upload in the admin panel
• CVE-2025-52922 (CVSS 7.4) — Multiple path traversal flaws in the file manager

TheHiker discovered that order IDs were predictable—just a timestamp with an appended numeric identifier. With no access control checks, simply swapping out the order ID in the URL allowed one user to see another’s personal information.

Even more troubling, the researcher demonstrated that a user could submit orders using another user’s profile information just by tweaking form parameters in intercepted requests.

“Not only did customer2 place an order using customer1’s details, he can also view these when checking his order details,” the report explains.

The report also uncovered the ability for one user to delete another user’s product review, again due to the absence of ownership verification on server-side endpoints.

The administration interface of InnoShop includes a file manager. Although the upload function restricted file types to .jpg, .jpeg, and .gif, TheHiker noticed something important:

“There is a feature that allows me to modify the existing file names.”

By intercepting and modifying the rename request, the researcher was able to change a JPEG file into a .php file on the server. That JPEG contained embedded PHP code, effectively turning a harmless image into an executable backdoor.

Accessing /static/media/rce.php, TheHiker triumphantly executed the id command, proving remote code execution.

With an API token from the admin login, TheHiker poked around the FileManagerController.php and found widespread path traversal vulnerabilities.

“The whole API is filled with path traversal attacks that allow an attacker to map the file system, read files, delete files, write files and create directories.”

Using nothing more than crafted API requests, TheHiker demonstrated:

• Reading sensitive files like /etc/passwd
• Writing to arbitrary locations via file move operations
• Deleting arbitrary files
• Creating directories anywhere on the server

Despite responsible disclosure efforts via email and GitHub, the researcher states:

“Unfortunately, as of 22–06–2025, there is no fix available for these issues. I have not received any response from the developers.”

Until patches are available, the risks remain stark for any organization deploying InnoShop in a production environment.

For those interested in further technical details or testing the issues themselves, TheHiker has also released a PoC framework called InnoSploit.

Related Posts:

• Magento Credit Card Skimmer Uses <img> Tag to Evade Detection
• Massive E-commerce Supply Chain Attack Uncovered: Hundreds of Stores at Risk
• CVE-2024-55661: RCE Vulnerability Discovered in Laravel Pulse Monitoring Tool