Airskye

**Name of the Vulnerable Software and Affected Versions** phpwcms version 1.9.25 **Description** An issue in phpwcms allows remote attackers to run arbitrary code via the `DB user` field during installation. **Recommendations** For phpwcms version 1.9.25, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpcms version 1.9.25 **Description** The issue allows remote attackers to delete arbitrary files due to a directory traversal vulnerability. This is achieved by exploiting an unfiltered `file` parameter in the `unlink` method within the `include/inc act/act ftptakeover.php` file. **Recommendations** For phpcms version 1.9.25, consider restricting access to the `unlink` method in the `include/inc act/act ftptakeover.php` file to prevent arbitrary file deletion. Additionally, filtering the `file` parameter can help mitigate the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpwcms version 1.9.25 **Description** The issue allows remote attackers to run arbitrary code via a crafted file upload to the "include/inc lib/general.inc.php" endpoint. **Recommendations** For phpwcms version 1.9.25, update to a newer version that contains a fix for this issue.