The /shop.php endpoint is vulnerable to a SQL Injection in the modifiers[attribute][] parameter.
Note: Upon discovery, our team immediately initiated the responsible disclosure process by contacting the vendor behind Gambio. Unfortunately, despite multiple attempts, our attempts to engage the vendor in resolving this issue have been met with silence. The vulnerability is still unfixed. Proof of Concept
The SQL Injection is error-based and can be triggered using a GET request to the following endpoint:
/shop.php?do=CheckStatus/Attributes&galleryHash=dddd&modifiers%5Battribute%5D%5B4%5D=9'&products_id=2&products_qty=1&target=cart&isProductInfo=1&page_token=