Which versions of PHP are affected by CVE-2018-25162?

Organizations using 2-Plan Team 1.0.4 should be aware of notable risk from CVE-2018-25162, a unrestricted file upload vulnerability rated CVSS 6.5. This could allow unauthorized file access.

Is there a public PoC exploit available for CVE-2018-25162?

Yes, a public proof-of-concept exploit is available for CVE-2018-25162. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2018-25162?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Review file handling controls.

PHP CVE-2018-25162

Q: What is the CVSS score of CVE-2018-25162?

CVE-2018-25162 has a CVSS 4.0 base score of 7.1 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

HIGH

Unrestricted Upload of File with Dangerous Type (CWE-434)

2026-03-06 disclosure@vulncheck.com

PHP RCE File Upload

7.1

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 15, 2026 - 15:22 NVD

MEDIUM HIGH

CVSS changed

Apr 15, 2026 - 15:22 NVD

6.5 (MEDIUM) 7.1 (HIGH)

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

PoC Detected

Mar 09, 2026 - 13:35 vuln.today

Public exploit code

CVE Published

Mar 06, 2026 - 13:15 nvd

MEDIUM 6.5

DescriptionNVD

2-Plan Team 1.0.4 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload executable PHP files by sending multipart form data to managefile.php. Attackers can upload PHP files through the userfile1 parameter with action=upload, which are stored in the files directory and executed by the web server for remote code execution.

AnalysisAI

Technical ContextAI

Classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). 2-Plan Team 1.0.4 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload executable PHP files by sending multipart form data to managefile.php. Attackers can upload PHP files through the userfile1 parameter with action=upload, which are stored in the files directory and executed by the web server for remote code execution.

Affected ProductsAI

Component: userfile1.

RemediationAI

Monitor vendor advisories for a patch. Validate file types by content. Store uploads outside web root. Restrict network access to the affected service where possible.

CVE-2018-25162 vulnerability details – vuln.today

Back

PHP CVE-2018-25162

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

PHP CVE-2018-25162

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code