CVE-2018-25388

HIGH

HaPe PKH 1.1 Arbitrary File Upload via aksi_foto.php

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25388. PoCs published by Ihsan Sencan.

AI-analyzed exploit summary This exploit demonstrates an arbitrary file upload vulnerability in HaPe PKH 1.1 by providing multiple HTML forms that allow uploading malicious PHP files to specific paths on the server. The vulnerability arises due to insufficient file type validation in the upload functionality.

Description

HaPe PKH 1.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by bypassing file type validation. Attackers can upload PHP files through multiple endpoints including aksi_foto.php, aksi_user.php, and aksi_kecamatan.php to execute arbitrary code on the server.

Exploits (1)

exploitdb WORKING POC

by Ihsan Sencan · textwebappsphp

https://www.exploit-db.com/exploits/45593

View Code ZIP pw:eip

This exploit demonstrates an arbitrary file upload vulnerability in HaPe PKH 1.1 by providing multiple HTML forms that allow uploading malicious PHP files to specific paths on the server. The vulnerability arises due to insufficient file type validation in the upload functionality.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: HaPe PKH 1.1

Auth required

Prerequisites: Access to the admin panel · Valid session/authentication

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 29, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-45593

https://www.exploit-db.com/exploits/45593

Product product

Official Product Homepage

http://www.sitejo.id

Product product

Product Reference

https://sourceforge.net/projects/hape-pkh/files/latest/download

Third Party Advisory third-party-advisory

VulnCheck Advisory: HaPe PKH 1.1 Arbitrary File Upload via aksi_foto.php

https://www.vulncheck.com/advisories/hape-pkh-arbitrary-file-upload-via-aksi-foto-php

Scores

CVSS v3 8.8

EPSS 0.0052

EPSS Percentile 39.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

Sitejo/HaPe PKH 1.1

Published May 29, 2026

Tracked Since May 29, 2026