PerfreeBlog
CVE-2025-60731
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Network-reachable low-complexity upload needing an authenticated account (PR:L); arbitrary file upload yields web-shell code execution, so C/I/A all High rather than the vendor's Low I/A.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
PerfreeBlog v4.0.11 has a File Upload vulnerability in the installTheme function
AnalysisAI
Arbitrary file upload in PerfreeBlog v4.0.11 lets an authenticated attacker abuse the installTheme function to upload malicious files (e.g. a web shell), typically resulting in server-side code execution and full compromise of the blog host. The flaw is a classic unrestricted-upload issue (CWE-434) reachable over the network by a low-privileged authenticated user; publicly available exploit code exists in the form of a GitHub write-up, though EPSS exploitation probability remains low (0.28%, 20th percentile) and it is not listed in CISA KEV.
Technical ContextAI
PerfreeBlog is a lightweight open-source (Java/Spring-based) blogging and content-management system maintained at perfree.org.cn, identified precisely by cpe:2.3:a:perfree:perfreeblog:4.0.11. The vulnerability lives in the installTheme function, which is intended to accept and deploy theme packages. Rooted in CWE-434 (Unrestricted Upload of File with Dangerous Type), the function fails to validate the type, extension, or content of uploaded files, so an attacker can supply an executable server-side payload instead of a legitimate theme archive. Because themes are unpacked into a web-accessible or server-executable location, an uploaded script can subsequently be invoked to run attacker-controlled code within the application's context.
RemediationAI
No vendor-released patch identified at time of analysis; the only vendor reference is the project homepage (https://perfree.org.cn/), so monitor it and the project's release channel for a fixed build after 4.0.11 and upgrade as soon as one is published. As compensating controls until a patch is available: restrict access to the theme-installation endpoint/installTheme function to trusted administrators only (tighten role permissions so ordinary authors cannot reach it), place the admin panel behind a VPN or IP allowlist to remove untrusted network reachability (trade-off: complicates legitimate remote administration), and enforce server-side validation or a WAF rule that blocks upload of executable extensions (.jsp, .jspx, .php, etc.) to the theme path (trade-off: may block legitimate theme packages containing such files). Additionally, configure the theme/upload directory as non-executable at the web-server layer to neutralize dropped web shells (trade-off: could break themes that rely on server-side scripts). Reference the PoC write-up above to build detection signatures for anomalous installTheme requests.
More in Perfreeblog
View allIn PerfreeBlog version 4.0.11, regular users can exploit the arbitrary file upload vulnerability in the attach component
Arbitrary file deletion in PerfreeBlog 4.0.11 lets attackers remove files outside the intended theme directory by abusin
Arbitrary file read in PerfreeBlog v4.0.11 allows unauthenticated remote attackers to read files outside the intended we
Stored cross-site scripting vulnerability exists in PerfreeBlog v4.0.11 in the website name field of the backend system
Arbitrary file upload in PerfreeBlog 4.0.11 lets an authenticated user abuse the installPlugin function to upload malici
PerfreeBlog v4.0.11 has an arbitrary file read vulnerability in the getThemeFileContent function. Rated high severity (C
PerfreeBlog v4.0.11 has a directory traversal vulnerability in the getThemeFilesByName function. Rated high severity (CV
A vulnerability has been found in PerfreeBlog 4.0.11 and classified as problematic. Rated medium severity (CVSS 6.3), th
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today