CVE-2022-23048

Name of the Vulnerable Software and Affected Versions Exponent CMS version 2.6.0patch2

Description The issue allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it. After uploading, the PHP file will be placed at "themes/simpletheme/{rce}.php" from where it can be accessed in order to execute commands.

Recommendations For Exponent CMS version 2.6.0patch2, consider restricting access to the extension upload feature for admin users until a patch is available. As a temporary workaround, monitor the "themes/simpletheme/" directory for any malicious PHP files and remove them promptly to prevent command execution.