CVE-2018-25162

MEDIUM

2-Plan Team 1.0.4 - Authenticated RCE

Title source: llm

Description

2-Plan Team 1.0.4 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload executable PHP files by sending multipart form data to managefile.php. Attackers can upload PHP files through the userfile1 parameter with action=upload, which are stored in the files directory and executed by the web server for remote code execution.

Exploits (1)

exploitdb WORKING POC
by Ihsan Sencan · textwebappsphp
https://www.exploit-db.com/exploits/45878

References (2)

Scores

CVSS v3 6.5
EPSS 0.0008
EPSS Percentile 23.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Classification

CWE
CWE-434
Status draft

Timeline

Published Mar 06, 2026
Tracked Since Mar 06, 2026