CVE Alert: CVE-2025-52920

image 1

Vulnerability Summary: CVE-2025-52920

Innoshop through 0.4.1 allows Insecure Direct Object Reference (IDOR) at multiple places within the frontend shop. Anyone can create a customer account and easily exploit these. Successful exploitation results in disclosure of the PII of other customers and the deletion of their reviews of products on the website. To be specific, an attacker could view the order details of any order by browsing to /en/account/orders/_ORDER_ID_ or use the address and billing information of other customers by manipulating the shipping_address_id and billing_address_id parameters when making an order (this information is then reflected in the receipt). Additionally, an attacker could delete the reviews of other users by sending a DELETE request to /en/account/reviews/_REVIEW_ID.

Affected Endpoints:

No affected endpoints listed.

Published Date:

6/23/2025, 12:15:22 PM

⚠️ CVSS Score:

CVSS v3 Score: 6.4 (Medium)

Exploit Status:

Not Exploited

EPS Score: 0.00027 | Ranking EPS: 0.05872

References:

Recommended Action:

No proposed action available. Please refer to vendor documentation for updates.


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

To keep up to date follow us on the below channels.