Primary

Context

WuzhiCMS Code Injection Vulnerability in Setting Handler

Vulnerability

A critical code injection vulnerability has been identified in WuzhiCMS version 4.1. The issue arises in the Setting Handler component, specifically within the Set function of the index.php file, when the setting parameter is manipulated. This vulnerability allows remote attackers to inject malicious code, which could be executed on the server. The flaw was disclosed publicly, and the vendor did not respond to initial contact regarding the issue.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, with the injected code executed in the context of the web server.

Reproduction

To reproduce this vulnerability, send a GET request to the index.php file with the attachment module activated. Include the setting parameter in the request, embedding PHP code such as a command to execute phpinfo(). The injected code will be executed on the server, demonstrating the code execution vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

10.0

exploitability

6.3

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

10.0

exploitability

6.3

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WuzhiCMS Code Injection Vulnerability in Setting Handler

Vulnerability

Impact

Reproduction

Affected Products

WuzhiCMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating