Primary

Context

SeaCMS Remote Code Execution Vulnerability in admin_ping.php Component

Vulnerability

A remote code execution vulnerability has been identified in SeaCMS version 13.3. The issue arises in the admin_ping.php file, where PHP code concatenation is used. Although the component attempts to restrict file editing, these restrictions can be bypassed, allowing authenticated attackers to inject and execute arbitrary code with system privileges.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where SeaCMS is installed.

Reproduction

To reproduce this vulnerability, navigate to the admin_ping.php page in the SeaCMS 13.3 administration panel. Inject PHP code into the 'weburl' field, concatenated with a closing quote and a semicolon, such as '123456789";phpinfo();$a="1'. When the injection is processed, the PHP code will be executed, demonstrating successful exploitation.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

10.0

exploitability

6.8

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

10.0

exploitability

6.8

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SeaCMS Remote Code Execution Vulnerability in admin_ping.php Component

Vulnerability

Impact

Reproduction

Affected Products

SeaCMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating