Primary

Context

Juzaweb CMS Broken Access Control Vulnerability in Plugin Editor Page

Vulnerability

A critical vulnerability has been identified in Juzaweb CMS versions through 3.4.2. The issue resides in the Plugin Editor Page component, specifically within the file /admin-cp/plugin/editor. This vulnerability allows improper access controls, enabling unprivileged users to access and edit the code of installed plugins. The exploitation can be performed remotely.

Impact

Exploitation of this vulnerability allows unprivileged users to access and modify the code of plugins installed on the CMS. This could lead to arbitrary code execution.

Reproduction

To reproduce this vulnerability, create a new user and assign it a role with all permissions disabled. Log in with this account and navigate to the admin plugin editor page. The user will be able to access and edit plugin functions, despite having no permissions.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

7.5

exploitability

6.8

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

7.5

exploitability

6.8

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Juzaweb CMS Broken Access Control Vulnerability in Plugin Editor Page

Vulnerability

Impact

Reproduction

Affected Products

juzaweb CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating