B0Z

**Name of the Vulnerable Software and Affected Versions** Plogger versions 1.0 RC1 and earlier **Description** The issue allows remote authenticated users to execute arbitrary code by uploading a ZIP file that contains a PHP file and a non-zero length PNG file, then accessing the PHP file via a direct request to it in "plog-content/uploads/archive/". **Recommendations** For Plogger versions 1.0 RC1 and earlier, restrict access to the plog-admin/plog-upload.php file to prevent unauthorized file uploads until a fix is available. As a temporary workaround, consider disabling the file upload functionality in plog-admin/plog-upload.php to minimize the risk of exploitation.