PocketVJ CP Remote Code Execution Vulnerability in submit_size.php Component

Vulnerability

A remote code execution vulnerability has been identified in PocketVJ CP version 3.9.1. The issue arises in the submit_size.php component, which improperly sanitizes input before executing commands via shell_exec(), exec(), and system(). This flaw allows remote attackers to inject arbitrary commands through HTTP POST requests, potentially leading to a full compromise of the host system.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, with the executed commands running in the same context as the web server user. This could lead to a complete takeover of the affected system.

Added: Sep 23, 2025, 7:23 PM

Updated: Sep 23, 2025, 7:23 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.4

remediation

0.0

relevance

0.6

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.4

remediation

0.0

relevance

0.6

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PocketVJ CP Remote Code Execution Vulnerability in submit_size.php Component

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating