CVE-2025-5498 - Vulnerability Details

A vulnerability was found in slackero phpwcms up to 1.9.45/1.10.8. It has been rated as critical. This issue affects the function file_get_contents/is_file of the file include/inc_lib/content/cnt21.readform.inc.php of the component Custom Source Tab. The manipulation of the argument cpage_custom leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.9.46 and 1.10.9 is able to address this issue. It is recommended to upgrade the affected component.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

No data.

References

Link	Providers
https://github.com/3em0/cve_repo/blob/main/phpwcms/cnt21.readform.inc.php%23file_get_contents.md
https://github.com/3em0/cve_repo/blob/main/phpwcms/cnt21.readform.inc.php%23is_file.md
https://github.com/slackero/phpwcms/releases/tag/v1.10.9
https://vuldb.com/?ctiid.310913
https://vuldb.com/?id.310913
https://vuldb.com/?submit.578054
https://vuldb.com/?submit.578055

History

Tue, 03 Jun 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 03 Jun 2025 13:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in slackero phpwcms up to 1.9.45/1.10.8. It has been rated as critical. This issue affects the function file_get_contents/is_file of the file include/inc_lib/content/cnt21.readform.inc.php of the component Custom Source Tab. The manipulation of the argument cpage_custom leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.9.46 and 1.10.9 is able to address this issue. It is recommended to upgrade the affected component.
Title		slackero phpwcms Custom Source Tab cnt21.readform.inc.php is_file deserialization
Weaknesses		CWE-20 CWE-502
References		https://github.com/3em0/cve_repo/blob/main/phpwcms/cnt21.readform.inc.php%23file_get_contents.md https://github.com/3em0/cve_repo/blob/main/phpwcms/cnt21.readform.inc.php%23is_file.md https://github.com/slackero/phpwcms/releases/tag/v1.10.9 https://vuldb.com/?ctiid.310913 https://vuldb.com/?id.310913 https://vuldb.com/?submit.578054 https://vuldb.com/?submit.578055
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P'}` cvssV3_0 `{'score': 5.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L'}` cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2025-06-03T13:31:05.263Z

Updated: 2025-06-03T13:45:36.390Z

Reserved: 2025-06-03T05:14:35.178Z

Link: CVE-2025-5498

Vulnrichment

Updated: 2025-06-03T13:45:25.818Z

NVD

Status : Awaiting Analysis

Published: 2025-06-03T14:15:51.313

Modified: 2025-06-04T14:54:33.783

Link: CVE-2025-5498

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object