Grav CMS Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Grav CMS version 1.7.48, specifically within the Admin Plugin version 1.10.48. This vulnerability allows authenticated administrators to upload malicious plugins through the 'Direct Install' interface. Once the plugin is uploaded, it is automatically extracted and executed, enabling the execution of arbitrary PHP code and potentially providing reverse shell access.

Impact

Exploitation of this vulnerability allows authenticated administrators to execute arbitrary PHP code on the server, with the possibility of gaining reverse shell access.

Reproduction

To reproduce this vulnerability, log into the Grav Admin Panel as an administrator and navigate to 'Tools > Direct Install'. Upload a malicious plugin ZIP file containing a PHP file designed to execute commands on the server, along with a minimal blueprint file to bypass validation. After the plugin is installed, the reverse shell can be triggered by sending a crafted HTTP request that exploits the uploaded PHP file.