Focus on niushop vulnerabilities and metrics.
Last updated: 25 Nov 2025, 23:25 UTC
This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with niushop. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.
For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.
Total niushop CVEs: 10
Earliest CVE date: 23 Jul 2018, 20:29 UTC
Latest CVE date: 22 Mar 2024, 12:15 UTC
Latest CVE reference: CVE-2024-28560
30-day Count (Rolling): 0
365-day Count (Rolling): 0
Calendar-based Variation
Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.
Month Variation (Calendar): 0%
Year Variation (Calendar): -100.0%
Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): -100.0%
Average CVSS: 3.48
Max CVSS: 7.5
Critical CVEs (≥9): 0
| Range | Count |
|---|---|
| 0.0-3.9 | 5 |
| 4.0-6.9 | 4 |
| 7.0-8.9 | 1 |
| 9.0-10.0 | 0 |
These are the five CVEs with the highest CVSS scores for niushop, sorted by severity first and recency.
SQL injection vulnerability in Niushop B2B2C v.5.3.3 and before allows an attacker to escalate privileges via the deleteArea() function of the Address.php component.
SQL injection vulnerability in Niushop B2B2C v.5.3.3 and before allows an attacker to escalate privileges via the setPrice() function of the Goodsbatchset.php component.
SQL Injection vulnerability in /app/api/controller/Store.php in Niushop B2B2C V5 allows attackers to run arbitrary SQL commands via latitude and longitude parameters.
SQL Injection vulnerability in the orderGoodsDelivery() function in Niushop B2B2C V5 allows attackers to run arbitrary SQL commands via the order_id parameter.
A vulnerability was found in Niushop B2B2C V5 and classified as critical. Affected by this issue is some unknown functionality of the file \app\model\Upload.php. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252140. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Niushop B2B2C Multi-business basic version V1.11, can bypass the administrator to obtain the background upload interface, through parameter upload, bypass the getimagesize function, upload php file, getshell.
In Niushop B2B2C Multi-Business Basic Edition V1.11, authentication can be bypassed, causing administrators to reset any passwords.
NIUSHOP V1.11 has CSRF via search_info to index.php.
NIUSHOP V1.11 has XSS via the index.php?s=/admin URI.
A file upload vulnerability in application/shop/controller/member.php in Niushop B2B2C Multi-business basic version V1.11 allows any remote member to upload a .php file to the web server via a profile avatar field, by using an image Content-Type (e.g., image/jpeg) with a modified filename and file content. This results in arbitrary code execution by requesting that .php file.