Listen to this Post
The vulnerability exists in the core update functionality where an authenticated administrator can trigger Remote Code Execution (RCE). The flaw occurs because the `php` parameter, which is user-controlled input from a POST request, is passed directly to the `exec()` function in the `PluginsService::getCoreUpdate()` method. The application fails to apply any allowlist validation, regular expression checks, or escaping functions like escapeshellarg(). The vulnerable code flow begins in PluginsController::get_core_update(), which retrieves the `php` parameter and passes it to the service. The service then concatenates this input into a command string: $command = $php . ' ' . ROOT . DS . 'bin' . DS . 'cake.php composer ' . $targetVersion . ' --php ' . $php . ' --dir ' . TMP . 'update';. An attacker with admin privileges can intercept a valid request containing the CSRF token and modify the `php` parameter to inject arbitrary OS commands, such as php=php;id>/tmp/rce_test;. When executed, the server processes the command, confirming execution with `www-data` privileges. This issue bypasses UI controls and CSRF protections because the endpoint processes the input directly regardless of the frontend display or token validity.
Platform: baserCMS
Version: 5.2.2
Vulnerability: Remote Code Execution
Severity: Critical
date: 2026-03-31
Prediction: 2026-04-15
What Undercode Say:
Analytics: The attack exploits design-level input mishandling. The `exec()` call uses unsanitized user input, bypassing CSRF and UI restrictions.
Command injection PoC curl -X POST "http://target.com/baser/admin/baser-core/plugins/get_core_update" \ -H "Cookie: PHPSESSID=admin_session" \ -d "php=php;id>/tmp/rce_test;&targetVersion=1.0&force=1"
Exploit:
To exploit, an attacker with admin credentials sends a crafted POST request to the endpoint /baser/admin/baser-core/plugins/get_core_update. The `php` parameter contains a semicolon followed by the malicious command. The server executes the command due to lack of validation.
Protection from this CVE:
Apply the fix by using `PHP_BINARY` constant instead of user input. Implement `escapeshellarg()` on all arguments. Consider using `Process` class to avoid shell interpretation. Restrict access to the endpoint if patching is delayed.
Impact:
Successful exploitation allows arbitrary OS command execution, leading to server information disclosure, file read/write, database credential theft, and complete server compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

