CVE-2014-4963

Shopizer < 1.1.5 - Unauthenticated Arbitrary User Account Modification via customer.customerId Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-4963.

AI-analyzed exploit summary This advisory details multiple critical vulnerabilities in Shopizer, including Remote Command Execution via Struts2 OGNL injection, price manipulation through negative quantities, and mass assignment attacks. It provides technical details and proof-of-concept examples for each vulnerability.

Description

Shopizer 1.1.5 and earlier allows remote attackers to modify the account settings of arbitrary users via the customer.customerId parameter to shop/profile/register.action.

Exploits (1)

exploitdb WRITEUP

webappsphp

https://www.exploit-db.com/exploits/34062

View Code ZIP pw:eip

This advisory details multiple critical vulnerabilities in Shopizer, including Remote Command Execution via Struts2 OGNL injection, price manipulation through negative quantities, and mass assignment attacks. It provides technical details and proof-of-concept examples for each vulnerability.

Classification

Writeup 100%

Attack Type

Rce | Auth Bypass | Other

Complexity

Moderate

Reliability

Reliable

Target: Shopizer 1.1.5 and below

No auth needed

Prerequisites: Access to the Shopizer web interface · Struts2 vulnerability exposure

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/532726/100/0/threaded

Mailing List mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2014/Jul/38

Scores

EPSS 0.0374

EPSS Percentile 88.5%

Details

Status published

Products (1)

shopizer/shopizer < 1.1.5

Published Jul 15, 2014

Tracked Since Feb 18, 2026