Gh0Stf

**Name of the Vulnerable Software and Affected Versions** PhpOK version 5.4.137 **Description** The issue allows for SQL injection, enabling the injection of attachment data through SQL. This can then be used to call the attachment replacement function through the "api.php" endpoint to write a PHP file to a target path. **Recommendations** For PhpOK version 5.4.137, consider restricting access to the "api.php" endpoint until a patch is available. As a temporary workaround, avoid using the attachment replacement function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.