Primary

Context

PopojiCMS Remote Command Execution Vulnerability

Vulnerability

A remote command execution vulnerability has been identified in PopojiCMS version 2.0.1. This issue allows authenticated administrative users to inject malicious PHP code through the metadata settings endpoint. Once the code is injected, it can be used to create a web shell that executes arbitrary system commands via a GET parameter.

Impact

Exploitation of this vulnerability allows for authenticated remote command execution on the server where PopojiCMS is hosted.

Reproduction

To reproduce this vulnerability, an administrative user must log into the PopojiCMS admin panel. After logging in, the user can navigate to the metadata settings endpoint and inject PHP code into the meta content. Once the code is injected, it can be executed by accessing the web shell through the specified GET parameter.

Added: Dec 10, 2025, 10:30 PM

Updated: Dec 10, 2025, 10:30 PM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

10.0

exploitability

6.3

remediation

0.0

relevance

1.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

10.0

exploitability

6.3

remediation

0.0

relevance

1.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PopojiCMS Remote Command Execution Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

PopojiCMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating