Is there a public PoC exploit available for CVE-2025-7898?

Yes, a public proof-of-concept exploit is available for CVE-2025-7898. Prioritise patching immediately. EPSS: 0.1%.

Codecanyon iDentSoft CVE-2025-7898

Q: What is the CVSS score of CVE-2025-7898?

CVE-2025-7898 has a CVSS 4.0 base score of 2.0 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Improper Access Control (CWE-284)

2025-07-20 cna@vuldb.com

Authentication Bypass File Upload Identsoft

2.0

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.0 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:25 vuln.today

DescriptionCVE.org

A vulnerability was found in Codecanyon iDentSoft 2.0. It has been classified as critical. This affects an unknown part of the file /clinica/profile/updateSetting of the component Account Setting Page. The manipulation of the argument photo leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

Unrestricted file upload in Codecanyon iDentSoft 2.0 Account Setting Page allows high-privileged remote attackers to upload arbitrary files via the photo parameter in /clinica/profile/updateSetting, potentially enabling code execution or system compromise. CVSS score of 2.0 reflects the requirement for high-privilege authentication, but publicly available exploit code exists and the vulnerability has been disclosed. This is primarily a privilege-escalation concern affecting administrators rather than a default-configuration flaw.

Technical ContextAI

The vulnerability exists in the Account Setting Page component, specifically in the /clinica/profile/updateSetting endpoint that handles photo uploads. CWE-284 (Improper Access Control / Insufficient Access Control) indicates that the file upload mechanism fails to properly validate or restrict file types and content before storage or execution. The 'photo' parameter accepts unvalidated input, suggesting the application does not implement proper MIME type checking, file extension validation, or upload directory isolation. This is a common pattern in poorly-secured web applications using PHP or similar server-side languages where user-supplied files are directly accessible or executable.

RemediationAI

Apply a vendor-released security patch or upgrade to a patched version if available from Codecanyon/Ambitious IT BD - no specific patched version number was identified in available references. In the interim, implement strict server-side file upload validation: restrict accepted file extensions to a whitelist (e.g., .jpg, .png, .gif only), validate MIME types server-side, reject executable extensions (.php, .exe, .sh, etc.), and store uploaded files outside the web root or in a non-executable directory with appropriate permissions (e.g., chmod 644). Configure the web server to prevent script execution in the upload directory (e.g., disable PHP execution via .htaccess or nginx config). Limit the /clinica/profile/updateSetting endpoint to authenticated administrators only and log all file upload activity for audit. If the application supports it, implement size limits on uploaded files to prevent disk exhaustion attacks.

CVE-2025-7898 vulnerability details – vuln.today

Back