CVE-2018-25353

HIGH

Redaxo CMS Mediapool Addon 5.5.1 Arbitrary File Upload

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25353. PoCs published by h0n1gsp3cht.

AI-analyzed exploit summary The exploit describes a file upload vulnerability in Redaxo CMS Mediapool Addon < 5.5.1, where the blacklist for file extensions can be bypassed by using variations like 'php71' or 'php53'. This allows authenticated users to upload malicious files.

Description

Redaxo CMS Mediapool Addon 5.5.1 and older contains an arbitrary file upload vulnerability that allows authenticated users to bypass file extension blacklist restrictions. Attackers with editor accounts can upload executable files by using obfuscated extensions like php71 or php53 to evade the blacklist filter and execute arbitrary code.

Exploits (1)

exploitdb WRITEUP

by h0n1gsp3cht · textwebappsphp

https://www.exploit-db.com/exploits/44891

View Code ZIP pw:eip

The exploit describes a file upload vulnerability in Redaxo CMS Mediapool Addon < 5.5.1, where the blacklist for file extensions can be bypassed by using variations like 'php71' or 'php53'. This allows authenticated users to upload malicious files.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Redaxo CMS Mediapool Addon < 5.5.1

Auth required

Prerequisites: Authenticated user account (e.g., editor)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 24, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-44891

https://www.exploit-db.com/exploits/44891

Product product

Official Product Homepage

https://redaxo.org

Product product

Product Reference

https://redaxo.org/download/redaxo/5.5.1.zip

Third Party Advisory third-party-advisory

VulnCheck Advisory: Redaxo CMS Mediapool Addon 5.5.1 Arbitrary File Upload

https://www.vulncheck.com/advisories/redaxo-cms-mediapool-addon-arbitrary-file-upload

Scores

CVSS v3 8.8

EPSS 0.0045

EPSS Percentile 36.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-863

Status published

Products (1)

Redaxo/Redaxo CMS Mediapool < 5.5.1

Published May 23, 2026

Tracked Since May 24, 2026