CVE-2019-11377

Name of the Vulnerable Software and Affected Versions WCMS version 0.3.2

Description The issue concerns an arbitrary file upload vulnerability. This is due to the fm get text exts function considering .php as a valid extension, allowing for potential malicious file uploads via the developer/finder component.

Recommendations For WCMS version 0.3.2, consider restricting or disabling the file upload functionality in the developer/finder component until a proper fix is available. Additionally, review and modify the fm get text exts function to exclude .php from valid extensions to prevent malicious uploads.