Volerion logoVolerion
Volerion logoVolerion

Slackero phpwcms Feedimport Module Deserialization Vulnerability

Vulnerability

A critical deserialization vulnerability has been identified in Slackero phpwcms versions through 1.9.45 and 1.10.8. The issue resides in the Feedimport Module, specifically within the file processing.inc.php. The vulnerability is triggered by manipulating the cnt_text argument, allowing for the deserialization of untrusted data without proper validation. This flaw can be exploited remotely, potentially leading to unauthorized actions or access.

Impact

Exploitation of this vulnerability allows for deserialization of untrusted data, which can be manipulated to execute arbitrary code or cause other unintended behavior in the application.

Reproduction

The vulnerability can be reproduced by sending a request to the processing.inc.php file of the Feedimport Module, including a crafted cnt_text argument that exploits the deserialization flaw. This can be done manually or automated with a proof-of-concept exploit available on GitHub.

Remediation

Users are advised to upgrade to phpwcms versions 1.9.46 or 1.10.9.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
3.4
impact
10.0
exploitability
6.8
remediation
7.7
relevance
0.2
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.