Spyk2R

**Name of the Vulnerable Software and Affected Versions** SocialEngine Timeline Plugin version 4.2.5p9 **Description** The issue allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension to the user profile page feature, and then accessing it via a direct request to the file in `public/temporary/timeline/`. **Recommendations** For SocialEngine Timeline Plugin version 4.2.5p9, consider restricting file uploads to only allowed extensions as a temporary workaround until a patch is available. Restrict access to the `public/temporary/timeline/` directory to minimize the risk of exploitation.