PPress CMS Hardcoded Credentials Vulnerability Allowing Remote Code Execution
Vulnerability
A vulnerability exists in PPress CMS version 0.0.9-beta due to hardcoded credentials in the default configuration. This issue allows for remote code execution by exploiting server-side template injection (SSTI) vulnerabilities. The problem arises from the application's theme management feature, which can be manipulated to execute arbitrary commands on the server.
Impact
Exploitation of this vulnerability could lead to unauthorized remote code execution on the server where PPress CMS is hosted.
Reproduction
To reproduce this vulnerability, an administrator account is required. Once logged in, navigate to the theme management section and export the default template. Modify the 'profile.html' file by injecting malicious code into a template variable. After saving the changes, repackage the theme and upload it. Once the theme is applied, the injected code will be executed, allowing command execution on the server.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.