Primary

Context

ThinkPHP 3 Arbitrary Code Execution Vulnerability via File Inclusion

Vulnerability

A vulnerability allowing remote code execution has been identified in ThinkPHP version 3.2.5. This issue arises from a file inclusion vulnerability in the index.php component, which can be exploited to execute arbitrary code.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where ThinkPHP 3.2.5 is running.

Reproduction

To reproduce this vulnerability, send a request to index.php with the 'm', 'c', and 'a' parameters. The 'a' parameter should include a path traversal sequence to access a file with a .html extension that contains PHP code, such as a phpinfo() script. When the request is processed, the included file will be executed, leading to code execution.

Added: Aug 5, 2025, 3:19 PM

Updated: Aug 5, 2025, 4:29 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

10.0

exploitability

9.7

remediation

0.0

relevance

0.3

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

10.0

exploitability

9.7

remediation

0.0

relevance

0.3

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ThinkPHP 3 Arbitrary Code Execution Vulnerability via File Inclusion

Vulnerability

Impact

Reproduction

Affected Products

ThinkPHP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating