Daylight Studio FuelCMS Dwoo Component Arbitrary Code Execution Vulnerability

A vulnerability allowing arbitrary code execution has been identified in Daylight Studio FuelCMS version 1.5.2, specifically within the Dwoo template parser component. This issue arises because the Dwoo parser does not properly sanitize the backslash character, enabling attackers to escape strings and inject malicious PHP code. FuelCMS utilizes Dwoo in various features, including dynamic content blocks, but the lack of adequate input handling creates a significant security risk.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary PHP code on the server, potentially leading to full server compromise.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the FuelCMS block preview endpoint. The request must include crafted Dwoo template data that exploits the parser's failure to escape backslashes. Once the payload is processed, the injected PHP code will be executed on the server.