Hiwin

**Name of the Vulnerable Software and Affected Versions** Z-BlogPHP version 1.5.1 **Description** The issue allows remote attackers to execute arbitrary PHP code via the `app id` parameter to "zb users/plugin/AppCentre/plugin edit.php" due to an unanchored regular expression. This can be exploited by accessing the component directly as an administrator or through a CSRF attack. **Recommendations** For Z-BlogPHP version 1.5.1, consider restricting access to the "plugin edit.php" file in the "AppCentre" plugin to minimize the risk of exploitation. Avoid using the `app id` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Z-BlogPHP version 1.5.1 **Description** The issue allows for XSS via the `app id` parameter in the `zb users/plugin/AppCentre/plugin edit.php` endpoint. This requires direct access by an administrator or can be exploited through CSRF. **Recommendations** For Z-BlogPHP version 1.5.1, avoid using the `app id` parameter in the `zb users/plugin/AppCentre/plugin edit.php` endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the `plugin edit.php` component to minimize the risk of exploitation.