ZZCMS 2025 Backend Website Settings Remote Code Execution Vulnerability

A remote code execution vulnerability exists in ZZCMS version 2025 within the backend website settings module. The issue arises in the file '/admin/siteconfig.php', specifically in the 'stripfxg' function, where the 'icp' parameter can be manipulated to inject malicious PHP code. This injected code is then written to '/inc/config.php' and executed whenever any page is accessed. The vulnerability requires authentication as an administrator to exploit.

Impact

Exploitation of this vulnerability allows for arbitrary PHP code execution on the server.

Reproduction

To reproduce this vulnerability, log into the admin backend and navigate to the website settings page. Modify the 'ICP Number' field by injecting a payload that includes PHP code execution commands, such as using 'eval()' to execute commands sent via the 'cmd' parameter. After saving the configuration, the injected code will be executed on the server.