e107 CMS
CVE-2025-11941
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was detected in e107 CMS up to 2.3.3. This impacts an unknown function of the file /e107_admin/image.php?mode=main&action=avatar of the component Avatar Handler. Performing manipulation of the argument multiaction[] results in path traversal. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Path traversal in e107 CMS up to version 2.3.3 allows authenticated remote attackers to manipulate the multiaction[] parameter in the Avatar Handler (/e107_admin/image.php) to access or modify arbitrary files on the server. The vulnerability requires valid user credentials but has low CVSS impact (2.1) and extremely low exploitation probability (EPSS 0.11%), though publicly available exploit code exists and the vendor has not provided a response or patch.
Technical ContextAI
e107 is a lightweight PHP-based content management system. The vulnerability exists in the Avatar Handler component, specifically in the /e107_admin/image.php endpoint when invoked with mode=main and action=avatar parameters. The multiaction[] parameter is insufficiently sanitized before being used in file path operations, violating CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The path traversal flaw allows directory traversal sequences (such as ../ or similar encoding bypasses) to escape the intended avatar file directory and access arbitrary locations on the filesystem. The vulnerability requires PR:L (low privilege / authenticated user) access, suggesting it affects registered site members or administrative users rather than completely anonymous attackers.
RemediationAI
No vendor-released patch has been identified at time of analysis. The vendor was reportedly contacted early but has not responded or provided a fix version. Immediate mitigation options include: (1) Restrict access to /e107_admin/image.php to trusted IP ranges or network segments using web server configuration (Apache .htaccess or nginx location blocks), ensuring the Avatar Handler is not exposed to untrusted users; (2) Disable or remove the Avatar Handler component if not essential to operations, reducing attack surface; (3) Implement strict input validation and filtering on the multiaction[] parameter at the web application firewall (WAF) level to block directory traversal patterns (../, %2e%2e, etc.); (4) Require multi-factor authentication for all e107 administrative and user accounts to reduce credential compromise risk. Until a patch is available, organizations using e107 should evaluate migration to alternative CMS platforms with active security support or implement restrictive network segmentation around e107 instances.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today