Wps2015

**Name of the Vulnerable Software and Affected Versions** PHPSHE version 1.7 **Description** A security issue was discovered, allowing unauthorized access to read any file in the system or scan the internal network without authentication. This is due to a call to `wechat getxml` in the `include/plugin/payment/wechat/notify url.php` file. **Recommendations** For PHPSHE version 1.7, consider restricting access to the `notify url.php` file until a patch is available. As a temporary workaround, review the `wechat getxml` function call to minimize potential exploitation risks. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** PHPSHE version 1.7 **Description** A SQL Injection issue was found in the include/plugin/payment/alipay/pay.php file, specifically with the `id` parameter. This issue does not require any authentication to be exploited. **Recommendations** For PHPSHE version 1.7, consider restricting access to the vulnerable `pay.php` file or avoiding the use of the `id` parameter in the affected endpoint until a fix is available. At the moment, there is no information about a newer version that contains a fix for this issue.