CVE-2025-7567

The vulnerability stems from insufficient input sanitization in ShopXO’s multilingual support functionality. The lang parameter value is directly embedded into a JavaScript variable assignment without proper escaping of single quotes. This occurs in the header.html files of the app, admin, and install views [1].

An attacker can trigger the flaw by sending a crafted link containing a malicious lang parameter to a user, such as http://target-ip/?lang=1%27;alert(234);var%20__test__=%271. No authentication is required for the public-facing entry point, making it remotely exploitable [1].

The impact includes potential session hijacking (by stealing admin/user cookies), phishing attacks (by injecting fake login forms), and, if the backend is targeted, privilege escalation through modification of administrative settings [1].

ShopXO versions up to and including 6.5.0 are affected. The vendor has not released a patch at the time of this writing. Users should either sanitize the lang parameter in the vulnerable templates or restrict access to the header files until an official fix is available [1].