CVE-2025-0460
Published: 14 January 2025
Description
A vulnerability, which was classified as critical, was found in Blog Botz for Journal Theme 1.0 on OpenCart. This affects an unknown part of the file /index.php?route=extension/module/blog_add. The manipulation of the argument image leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Security Summary
CVE-2025-0460 is a critical vulnerability in Blog Botz for Journal Theme version 1.0 running on OpenCart. It affects an unknown functionality within the file /index.php?route=extension/module/blog_add, where manipulation of the image argument enables unrestricted file upload. Classified under CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), the issue carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, primarily through uploading arbitrary files, which could facilitate further compromise depending on server configuration and file handling.
VulDB advisories detail the issue but note no vendor response despite early contact, with no patches or official mitigations available. The exploit PoC has been publicly disclosed via a GitHub gist, increasing the risk of active use.
In context, the vulnerability was published on January 14, 2025, and the public exploit disclosure heightens the urgency for OpenCart users employing this module to review and potentially disable or replace Blog Botz for Journal Theme 1.0.
Details
- CWE(s)