code-projects Voting System CVE-2025-11508
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security vulnerability has been detected in code-projects Voting System 1.0. This affects an unknown function of the file /admin/voters_add.php. Such manipulation of the argument photo leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.
AnalysisAI
Unrestricted file upload in code-projects Voting System 1.0 allows authenticated high-privilege administrators to upload arbitrary files via the photo parameter in /admin/voters_add.php, potentially leading to remote code execution. The vulnerability requires high-privilege credentials (PR:H) to exploit and affects only administrative functions; publicly available exploit code exists but exploitation is limited to admin-authenticated attackers with access to the administrative interface.
Technical ContextAI
The vulnerability exists in the PHP file /admin/voters_add.php, which processes file uploads through the photo parameter without proper validation or restriction on file types. CWE-284 (Improper Access Control) indicates the root cause is inadequate authorization checks on the file upload functionality. The affected product is a PHP-based voting application, and the vulnerability allows bypassing file type restrictions on the photo upload field. This is a classic unrestricted file upload flaw where the application fails to validate file extensions, MIME types, or content before storing uploaded files in a web-accessible directory.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate remediation requires upgrading to a patched version if released by code-projects (verify at https://code-projects.org/). If no patched version is available, implement compensating controls: (1) Restrict direct file access to /admin/voters_add.php by validating and rejecting file uploads with non-image extensions (e.g., .php, .phtml, .exe); move uploaded files to a non-web-accessible directory outside the webroot, then serve via a download script that enforces appropriate MIME types. (2) Implement strict file type validation using whitelisting (allow only .jpg, .png, .gif) and verify file headers (magic bytes), not just extensions. (3) Disable PHP execution in upload directories via web server configuration (.htaccess for Apache: 'php_flag engine off' or IIS/nginx equivalents). (4) Restrict access to /admin/* paths via Web Application Firewall or network segmentation to only trusted admin IP ranges. (5) Enforce strong, unique admin credentials and implement MFA on admin login. Effectiveness: compensating controls significantly reduce exploitability but do not eliminate the underlying flaw; patching is required for complete resolution.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today