Volerion logoVolerion
Volerion logoVolerion

Actively Exploited in the Wild

This vulnerability is being actively exploited in the wild.

Traq Remote Code Execution Vulnerability in Admin Control Panel

Vulnerability

A remote code execution vulnerability has been identified in Traq versions 2.0 through 2.3. The issue arises in the admincp/common.php script, where flawed authorization logic allows unauthenticated users to access admin-only functionality. This vulnerability can be exploited through plugins.php to inject and execute arbitrary PHP code.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where Traq is installed.

Reproduction

The vulnerability can be reproduced by sending a POST request to 'admincp/plugins.php' with a payload that includes PHP code, encoded in base64, and a command to execute. After the plugin is created, the injected code can be executed by sending a GET request to 'index.php' with a header that includes the base64-encoded command.

Remediation

Users are advised to update to Traq version 2.3.1, which addresses this vulnerability.

Added: Aug 13, 2025, 10:45 PM
Updated: Aug 13, 2025, 10:45 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
10.0
exploitability
6.4
remediation
7.7
relevance
0.4
threat
9.3
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.