CVE-2018-10574

Name of the Vulnerable Software and Affected Versions: BigTree versions 4.2.22 and earlier

Description: The issue allows remote attackers to upload and execute arbitrary PHP code. This is because the BigTreeStorage class in core/inc/bigtree/apis/storage.php does not prevent uploads of .htaccess files, which can be exploited to execute malicious code. The API endpoint "site/index.php/admin/trees/add/" is specifically vulnerable to this attack.

Recommendations: For BigTree versions 4.2.22 and earlier, consider disabling the "site/index.php/admin/trees/add/" endpoint until a patch is available to prevent the upload and execution of arbitrary PHP code. Additionally, restrict access to the BigTreeStorage class in core/inc/bigtree/apis/storage.php to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.