CVE-2019-8908

Name of the Vulnerable Software and Affected Versions WTCMS version 1.0

Description An issue in WTCMS allows remote attackers to execute arbitrary PHP code. This can be achieved by accessing the "Setting -> Mailbox configuration -> Registration email template" screen and uploading an image file with a .php filename, while setting the Content-Type header to image/gif.

Recommendations For WTCMS version 1.0, as a temporary workaround, consider restricting access to the "Setting -> Mailbox configuration -> Registration email template" screen until a patch is available. Avoid uploading files with executable extensions, such as .php, in the registration email template. At the moment, there is no information about a newer version that contains a fix for this vulnerability.