PerfreeBlog
CVE-2025-60735
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Network-reachable installPlugin needs at least low-privilege auth (PR:L, AC:L); arbitrary file upload yields web-shell code execution, so C/I/A are all High rather than NVD's Low.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
PerfreeBlog v4.0.11 has a File Upload vulnerability in the installPlugin function
AnalysisAI
Arbitrary file upload in PerfreeBlog 4.0.11 lets an authenticated user abuse the installPlugin function to upload malicious files, likely enabling web shell deployment and remote code execution on the blog server. A public technical write-up with proof-of-concept exists on GitHub, though the flaw is not listed in CISA KEV and carries a low EPSS score (0.28%, 20th percentile), indicating no confirmed widespread exploitation yet.
Technical ContextAI
PerfreeBlog is a Java-based blogging/CMS platform (perfree.org.cn) built around an extensible plugin architecture. The vulnerability resides in the installPlugin function, which handles plugin package uploads and installation. It is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type): the installer fails to properly validate the type, extension, or content of uploaded plugin files, allowing a crafted file (for example a JSP/servlet or executable payload disguised as a plugin) to be written into a server-accessible or executable location. The affected build is precisely identified by CPE cpe:2.3:a:perfree:perfreeblog:4.0.11.
RemediationAI
No vendor-released patched version is identified in the available data at time of analysis, so monitor the vendor at https://perfree.org.cn/ and the project release channel for a fixed build superseding 4.0.11. As compensating controls, restrict network access to the administrative and plugin-management endpoints (for example via IP allowlisting, VPN, or a reverse-proxy rule blocking the installPlugin route) so only trusted operators can reach it; enforce strong, unique credentials and least-privilege accounts since exploitation requires authentication (PR:L); and place a WAF or upload-filtering rule in front of the application to reject plugin uploads containing executable content such as JSP, servlet, or script payloads. The trade-offs are that blocking or filtering the plugin-install route disables legitimate plugin installation until a fix is applied, and WAF content rules may need tuning to avoid breaking valid plugin packages. Additionally review the plugin storage directory for unexpected files as a detection measure, and consult the GitHub write-up above to build precise signatures.
More in Perfreeblog
View allIn PerfreeBlog version 4.0.11, regular users can exploit the arbitrary file upload vulnerability in the attach component
Arbitrary file deletion in PerfreeBlog 4.0.11 lets attackers remove files outside the intended theme directory by abusin
Arbitrary file read in PerfreeBlog v4.0.11 allows unauthenticated remote attackers to read files outside the intended we
Stored cross-site scripting vulnerability exists in PerfreeBlog v4.0.11 in the website name field of the backend system
Arbitrary file upload in PerfreeBlog v4.0.11 lets an authenticated attacker abuse the installTheme function to upload ma
PerfreeBlog v4.0.11 has an arbitrary file read vulnerability in the getThemeFileContent function. Rated high severity (C
PerfreeBlog v4.0.11 has a directory traversal vulnerability in the getThemeFilesByName function. Rated high severity (CV
A vulnerability has been found in PerfreeBlog 4.0.11 and classified as problematic. Rated medium severity (CVSS 6.3), th
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today