PluXml CMS Authenticated Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in PluXml CMS version 5.8.22. This vulnerability allows authenticated attackers with access to the administrator panel to inject a malicious PHP web shell into a theme file, such as home.php. The issue arises from inadequate validation of ZIP archive contents during module uploads, enabling attackers to exploit path traversal vulnerabilities and execute arbitrary code on the server.

Impact

Exploitation of this vulnerability allows authenticated administrators to execute arbitrary commands on the server, potentially leading to a full system compromise.

Reproduction

To reproduce this vulnerability, log into the PluXml CMS admin panel and navigate to the Module Management section. Upload a ZIP file containing a PHP web shell, ensuring that the file paths are crafted to exploit the application's path traversal vulnerabilities. Once the ZIP file is uploaded and extracted, access the injected PHP file through the web server to execute the web shell.