Shoppers information may be at risk as two e-commerce platforms OsCommerce and osCmax have not patched vulnerabilities in spite of being alerted to them weeks ago. Details are here:
https://www.htbridge.com/advisory/HTB23287
https://www.htbridge.com/advisory/HTB23285
Both web applications are vulnerable to Remote Code Execution, that allows attackers to compromise a web application, steal entire database and place malware to infect visitors.
With osCommerce used by 280,000 store owners alone (accoridng to the vendor), the potential impact could be huge.
The exploitation vector is a bit complicated, and in accordance to
CVSSv3 (the Common Vulnerability Scoring System) they are medium risk flaws as they both require small interaction with the victim (website admin).
However, practically speaking both flaws are perfectly and easily exploitable via simple social engineering, so High-Tech Bridge believes that these are more realistically high or critical vulnerabilities.
Both vendors have failed to patch, despite numerous alerts and notifications from High-Tech Bridge, this is why today the vulnerabilities are public.