Listen to this Post
How the CVE Works
The vulnerability in phpwcms (up to versions 1.9.45/1.10.8) resides in the Feedimport Module’s `include/inc_module/mod_feedimport/inc/processing.inc.php` file. Attackers can exploit insecure deserialization via the `cnt_text` argument, allowing remote code execution. The flaw occurs due to improper validation of serialized data, enabling malicious payloads to trigger arbitrary PHP object injection. This can lead to full system compromise under the web server’s privileges. Publicly disclosed exploits increase the urgency for patching.
DailyCVE Form
Platform: phpwcms
Version: ≤1.9.45/1.10.8
Vulnerability: Remote Deserialization
Severity: Critical
Date: 06/03/2025
Prediction: Patch by 07/15/2025
What Undercode Say
grep -r "unserialize(" include/inc_module/mod_feedimport/
curl -X POST -d "cnt_text=<malicious_serialized>" http://target/feedimport
How Exploit
1. Craft malicious serialized payload.
2. Send via `cnt_text` parameter to `processing.inc.php`.
3. Trigger deserialization for RCE.
Protection from this CVE
- Update to v1.9.46/1.10.9.
- Disable Feedimport Module.
- Implement input sanitization.
Impact
- Remote Code Execution.
- System compromise.
- Data leakage.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
