CVE-2018-25162

MEDIUM
2026-03-06 [email protected]
6.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
PoC Detected
Mar 09, 2026 - 13:35 vuln.today
Public exploit code
CVE Published
Mar 06, 2026 - 13:15 nvd
MEDIUM 6.5

Tags

PHP RCE

Description

2-Plan Team 1.0.4 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload executable PHP files by sending multipart form data to managefile.php. Attackers can upload PHP files through the userfile1 parameter with action=upload, which are stored in the files directory and executed by the web server for remote code execution.

Analysis

2-Plan Team 1.0.4 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload executable PHP files by sending multipart form data to managefile.php. [CVSS 6.5 MEDIUM]

Technical Context

Classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). 2-Plan Team 1.0.4 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload executable PHP files by sending multipart form data to managefile.php. Attackers can upload PHP files through the userfile1 parameter with action=upload, which are stored in the files directory and executed by the web server for remote code execution.

Affected Products

Component: userfile1.

Remediation

Monitor vendor advisories for a patch. Validate file types by content. Store uploads outside web root. Restrict network access to the affected service where possible.

Priority Score

53
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +32
POC: +20

Share

CVE-2018-25162 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy