Yu Yang

**Name of the Vulnerable Software and Affected Versions** SOY CMS version 3.0.2 **Description** The issue allows remote attackers to execute arbitrary PHP code via a <?php substring in the second text box. It is based on an assumption that the content is made editable on its own. **Recommendations** For SOY CMS version 3.0.2, consider removing or restricting the ability to input PHP code in the second text box as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** WCMS version 0.3.2 **Description** The issue concerns an arbitrary file upload vulnerability. This is due to the `fm get text exts` function considering `.php` as a valid extension, allowing for potential malicious file uploads via the `developer/finder` component. **Recommendations** For WCMS version 0.3.2, consider restricting or disabling the file upload functionality in the `developer/finder` component until a proper fix is available. Additionally, review and modify the `fm get text exts` function to exclude `.php` from valid extensions to prevent malicious uploads.