Primary

Context

Phpwcms File Upload Vulnerability Allowing Cross-Site Scripting

Vulnerability

A file upload vulnerability has been identified in Phpwcms version 1.9.30. This vulnerability allows authenticated attackers to upload malicious SVG files containing embedded JavaScript. The crafted SVG payloads can be uploaded through the multiple file upload feature, potentially leading to cross-site scripting attacks on the platform.

Impact

Exploitation of this vulnerability could result in cross-site scripting attacks, allowing for the execution of malicious scripts in the context of the user's browser.

Reproduction

To reproduce this vulnerability, log into the Phpwcms application and navigate to the multiple file upload feature. Create a payload by crafting an SVG file that includes JavaScript, such as an alert script. Once the payload is ready, upload it through the file upload interface. After uploading, the SVG file can be accessed from the upload directory, where the embedded JavaScript will be executed.

Added: Jan 16, 2026, 1:07 AM

Updated: Jan 16, 2026, 1:07 AM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

6.5

remediation

0.0

relevance

2.1

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

6.5

remediation

0.0

relevance

2.1

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Phpwcms File Upload Vulnerability Allowing Cross-Site Scripting

Vulnerability

Impact

Reproduction

Affected Products

phpwcms

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating