CVE-2025-5499

| EUVD-2025-16733 HIGH
2025-06-03 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 14, 2026 - 17:04 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 17:04 euvd
EUVD-2025-16733
PoC Detected
Jan 20, 2026 - 15:46 vuln.today
Public exploit code
CVE Published
Jun 03, 2025 - 14:15 nvd
HIGH 7.3

Tags

Deserialization PHP Phpwcms

Description

A vulnerability classified as critical has been found in slackero phpwcms up to 1.9.45/1.10.8. Affected is the function is_file/getimagesize of the file image_resized.php. The manipulation of the argument imgfile leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.9.46 and 1.10.9 is able to address this issue. It is recommended to upgrade the affected component.

Analysis

Critical remote code execution vulnerability in slackero phpwcms affecting versions up to 1.9.45 and 1.10.8. The vulnerability exists in the image_resized.php file where unsanitized input to the 'imgfile' parameter is passed to PHP's is_file() and getimagesize() functions, leading to unsafe deserialization. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution with a CVSS score of 7.3; the vulnerability has been publicly disclosed with working exploits available, making active exploitation highly probable.

Technical Context

The vulnerability is a CWE-20 (Improper Input Validation) issue affecting the image processing pipeline in phpwcms, a PHP-based content management system. The vulnerable code path processes user-supplied 'imgfile' parameters without proper validation before passing them to PHP's is_file() and getimagesize() functions. The attack surface is the image_resized.php endpoint, which accepts GET/POST parameters. PHP's object deserialization capabilities (unserialize() function or similar) can be triggered through malformed serialized object payloads in the imgfile parameter, potentially leading to gadget chain exploitation. The root cause is insufficient input validation (CWE-20) combined with unsafe use of deserialization functions on user-controllable input, a well-known PHP vulnerability pattern. Affected CPE: cpe:2.3:a:slackero:phpwcms:*:*:*:*:*:*:*:* (versions <=1.9.45 and <=1.10.8 in respective branches).

Affected Products

slackero phpwcms (['1.9.45 and earlier (1.9.x branch)', '1.10.8 and earlier (1.10.x branch)'])

Remediation

Patching: Upgrade phpwcms to version 1.9.46 or 1.10.9 or later; priority: CRITICAL; timeline: Immediate Input Validation: If patching is delayed, implement strict whitelist validation on the 'imgfile' parameter in image_resized.php to reject any serialized PHP object payloads (detect 'O:' pattern in input); priority: HIGH Web Application Firewall: Deploy WAF rules to block POST/GET requests to image_resized.php containing serialized object indicators or encoded payloads; block requests with 'imgfile' parameter containing suspicious characters; priority: HIGH Network Segmentation: If phpwcms instance is internet-facing and unpatched, restrict direct internet access to the web root containing image_resized.php or implement reverse proxy authentication; priority: MEDIUM Monitoring: Enable access logs for image_resized.php and alert on anomalous imgfile parameter values; monitor for POST requests with high entropy or serialized object patterns; priority: MEDIUM

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.4
CVSS: +36
POC: +20

Share

CVE-2025-5499 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy