What the vulnerability does
01Description
Improper Control of Generation of Code ('Code Injection') vulnerability in extremeidea bidorbuy Store Integrator bidorbuystoreintegrator allows Remote Code Inclusion.This issue affects bidorbuy Store Integrator: from n/a through <= 2.12.0.
Explanation of Vulnerability in Simple Terms
02Summary
The bidorbuy Store Integrator contains a code injection vulnerability that allows high-privileged users to execute arbitrary PHP code on the site. An attacker with administrative or equivalent access can inject malicious code through the application, affecting confidentiality, integrity, and availability across the entire system. All versions up to 2.12.0 are affected.
What an attacker can do
03Attacker Capabilities
Run arbitrary PHP code on the site with full system access.
Potential impact on your site
04Site Impact
A compromised admin account can execute code, modify data, steal information, or disable the site entirely.
Conditions required to exploit
05Prerequisites
Attacker must have high-level privileges (admin or equivalent role) in the application.
Key dates
06Disclosure timeline
August 28, 2025
CVE published
April 28, 2026
Record updated