FacturaScripts Zip Slip Vulnerability Leading to Remote Code Execution

A critical vulnerability has been identified in FacturaScripts accounting and invoicing software, specifically in versions 2026 and below. The issue arises in the Plugins::add() function, where the system improperly validates file paths within uploaded ZIP archives. This flaw enables attackers to execute a Zip Slip attack, resulting in arbitrary file write capabilities and remote code execution by overwriting sensitive PHP files outside the designated plugins directory. The vulnerability is rooted in the testZipFile function, which fails to sanitize or validate individual file paths, allowing exploitation through crafted ZIP files.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where FacturaScripts is installed.

Reproduction

To reproduce this vulnerability, create a ZIP file containing a file named with a path traversal sequence, such as 'ValidPluginName/../../shell.php'. Upload this ZIP file through the 'Add Plugin' section in FacturaScripts. The uploaded file will be extracted, and the PHP file will be written to a location accessible by the web server, triggering the remote code execution.

Remediation

Users can update to FacturaScripts version 2026.1 or later, where this vulnerability has been fixed.