Headline
GHSA-vgmm-27fc-vmgp: Maho is Vulnerable to Authenticated Remote Code Execution via File Upload
Summary
In Maho 25.7.0, an authenticated staff user with access to the Dashboard and Catalog\Manage Products permissions can create a custom option on a listing with a file input field. By allowing file uploads with a .php extension, the user can use the filed to upload malicious PHP files, gaining remote code execution
Details
An user with the Dashboard and Catalog\Manage Products permissions can abuse the product custom options feature to bypass the application’s file upload restrictions.
When creating a product custom option of type file upload, the user is allowed to define their own extension whitelist. This bypasses the application’s normal enforced whitelist and permits disallowed extensions, including .php.
The file uploaded by the custom option is then written to a predictable location:
/public/media/custom_options/<first char of filename>/<second char of filename>/<md5 of file contents>.php
Because this path is directly accessible under the application’s webroot, an attacker can then request the uploaded file via HTTP, causing the server to execute the PHP payload.
PoC
Sign in to the
/admindashboard as a staff user. Ensure the user’s role has access to theDashboardandCatalog\Manage Productspermissions.Navigate to a product catalog listing, for example by clicking on a product linked within the
Most Viewed Productstab on the dashboard. <img width="648" height="194" alt="image" src="https://github.com/user-attachments/assets/1ab69182-68ea-48e4-b50b-46ccf70f40bb" />Navigate to the “Custom Options” tab on the product, and create a custom option with a file upload field. Add
.phpas an allowed extension to the file upload configuration. Save the configuration after making the changes. <img width="836" height="391" alt="image" src="https://github.com/user-attachments/assets/5abe7d80-c16d-4b54-9a19-799bda1bcc34" />In a private window, navigate to the customer facing page for the product, and upload a reverse shell PHP file through the newly configured option. Then click “Add to cart” to complete the upload. <img width="473" height="286" alt="image" src="https://github.com/user-attachments/assets/326ce37e-026a-4211-8e95-6f5f310727df" />
Calculate the location of the uploaded file on the web server as
/public/media/custom_options/<first char of filename>/<second char of filename>/<md5 of file contents>.php
- Navigate to the above path directly to execute the file contents and trigger the reverse shell. <img width="910" height="339" alt="image" src="https://github.com/user-attachments/assets/e0e52607-81d5-4dc2-8550-ef324182f889" />
Impact
This vulnerability allows remote code execution (RCE) on the server. It requires only the Catalog\Manage Products permission, and does not need full administrative access. By leveraging the custom option upload feature, an attacker can bypass the application’s normal file upload protections and execute arbitrary PHP code within the webroot.
Suggested Remediation
Enforce a whitelist of allowed extensions a user is allowed to configure for file upload fields in Custom Options.
Summary
In Maho 25.7.0, an authenticated staff user with access to the Dashboard and Catalog\Manage Products permissions can create a custom option on a listing with a file input field. By allowing file uploads with a .php extension, the user can use the filed to upload malicious PHP files, gaining remote code execution
Details
An user with the Dashboard and Catalog\Manage Products permissions can abuse the product custom options feature to bypass the application’s file upload restrictions.
When creating a product custom option of type file upload, the user is allowed to define their own extension whitelist. This bypasses the application’s normal enforced whitelist and permits disallowed extensions, including .php.
The file uploaded by the custom option is then written to a predictable location:
/public/media/custom_options/<first char of filename>/<second char of filename>/<md5 of file contents>.php
Because this path is directly accessible under the application’s webroot, an attacker can then request the uploaded file via HTTP, causing the server to execute the PHP payload.
PoC
Sign in to the /admin dashboard as a staff user. Ensure the user’s role has access to the Dashboard and Catalog\Manage Products permissions.
Navigate to a product catalog listing, for example by clicking on a product linked within the Most Viewed Products tab on the dashboard.
Navigate to the “Custom Options” tab on the product, and create a custom option with a file upload field. Add .php as an allowed extension to the file upload configuration. Save the configuration after making the changes.
In a private window, navigate to the customer facing page for the product, and upload a reverse shell PHP file through the newly configured option. Then click “Add to cart” to complete the upload.
Calculate the location of the uploaded file on the web server as
/public/media/custom_options/<first char of filename>/<second char of filename>/<md5 of file contents>.php
- Navigate to the above path directly to execute the file contents and trigger the reverse shell.
Impact
This vulnerability allows remote code execution (RCE) on the server. It requires only the Catalog\Manage Products permission, and does not need full administrative access. By leveraging the custom option upload feature, an attacker can bypass the application’s normal file upload protections and execute arbitrary PHP code within the webroot.
Suggested Remediation
Enforce a whitelist of allowed extensions a user is allowed to configure for file upload fields in Custom Options.
References
- GHSA-vgmm-27fc-vmgp
- https://nvd.nist.gov/vuln/detail/CVE-2025-58449
- MahoCommerce/maho@db54a1b