In Shopizer versions 2.3.0 to 3.0.1 is vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.
A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0, where a privileged user (attacker) can inject malicious JavaScript in the filename under the “Manage files” tab
In Shopizer versions 2.0 to 2.17.0 a regular admin can permanently delete a superadmin (although this cannot happen according to the documentation) via Insecure Direct Object Reference (IDOR) vulnerability.
A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions v2.0.2 through v2.17.0 via the “Manage Images” tab, which allows an attacker to upload a SVG file containing malicious JavaScript code.
A reflected cross-site scripting (XSS) vulnerability in Shopizer allows remote attackers to inject arbitrary web script or HTML via the ref parameter to a page about an arbitrary product, e.g., a product/insert-product-name-here.html/ref= URL.
A stored cross-site scripting (XSS) vulnerability in Shopizer allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration.
In Shopizer, a script can be injected in various forms and saved in the database, then executed when information is fetched from backend.
In Shopizer, using API or Controller based versions negative quantity is not adequately validated hence creating incorrect shopping cart and order total. This vulnerability makes it possible to create a negative total in the shopping cart.