Cikeroot

**Name of the Vulnerable Software and Affected Versions** Wcms version 0.3.2 **Description** The issue allows an attacker to send a crafted request from a vulnerable web application backend server via the "finish" parameter and the `textAreaCode` parameter in the "/wcms/wex/html.php" endpoint. This enables the attacker to write arbitrary strings into custom file names, upload any files, and write malicious code to execute scripts, potentially triggering command execution. **Recommendations** For Wcms version 0.3.2, consider disabling the `finish` and `textAreaCode` parameters in the "/wcms/wex/html.php" endpoint until a patch is available. Restrict access to the "/wcms/wex/html.php" endpoint to minimize the risk of exploitation. Avoid using the `textAreaCode` parameter in the affected endpoint until the issue is resolved.