PT-2025-23613 · Phpcms · Phpcms
Dem0
·
Published
2025-06-03
·
Updated
2026-01-20
·
CVE-2025-5498
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
slackero phpwcms versions 1.9.45 and earlier, slackero phpwcms versions 1.10.8 and earlier
Description
A critical issue affects the function
file get contents/is file of the file include/inc lib/content/cnt21.readform.inc.php in the Custom Source Tab component. The manipulation of the argument cpage custom leads to deserialization. This issue can be exploited remotely.Recommendations
For slackero phpwcms versions 1.9.45 and earlier, upgrade to version 1.9.46.
For slackero phpwcms versions 1.10.8 and earlier, upgrade to version 1.10.9.
Exploit
Fix
RCE
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Phpcms