Primary

Context

School ERP Pro File Upload Vulnerability Allowing Remote Code Execution

Vulnerability

A remote code execution vulnerability exists in School ERP Pro version 1.0 due to an unrestricted file upload feature. Students can upload arbitrary PHP files through the messaging system's attachment feature, which are then executed on the server. This vulnerability arises from the application's failure to properly validate file uploads, allowing malicious scripts to be introduced and executed remotely.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where School ERP Pro is hosted.

Reproduction

To reproduce this vulnerability, log in as a student user and navigate to the messaging system. Attach a PHP file, such as one containing a simple PHP script like `<?php phpinfo(); ?>`, and send the message. The uploaded file will be executed on the server, demonstrating the remote code execution vulnerability.

Added: Feb 3, 2026, 10:39 PM

Updated: Feb 3, 2026, 10:39 PM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

2.5

exploitability

6.6

remediation

0.0

relevance

2.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

2.5

exploitability

6.6

remediation

0.0

relevance

2.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

School ERP Pro File Upload Vulnerability Allowing Remote Code Execution

Vulnerability

Impact

Reproduction

Affected Products

Arox School ERP Pro

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating