CVE-2018-6383

HIGH

Monstra CMS < 3.0.4 - Authenticated Remote Code Execution via .pht or .phar File Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-6383. PoCs published by Ron Jost.

AI-analyzed exploit summary This exploit targets Monstra CMS 3.0.4 by leveraging an incomplete file extension blacklist to upload a malicious .phar file, achieving remote code execution. It authenticates as an admin/editor, uploads a PHP-based web shell, and provides interactive shell access.

Description

Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions but not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code by uploading a file, a different vulnerability than CVE-2017-18048.

Exploits (1)

exploitdb WORKING POC
by Ron Jost · pythonwebappsphp
https://www.exploit-db.com/exploits/49949

This exploit targets Monstra CMS 3.0.4 by leveraging an incomplete file extension blacklist to upload a malicious .phar file, achieving remote code execution. It authenticates as an admin/editor, uploads a PHP-based web shell, and provides interactive shell access.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Monstra CMS 3.0.4
Auth required
Prerequisites: Valid admin/editor credentials · Access to the admin panel · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/monstra-cms/monstra/issues/429
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/162968/Monstra-CMS-3.0.4-Remote-Code-Execution.html

Scores

CVSS v3 8.8
EPSS 0.1358
EPSS Percentile 96.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-184
Status published
Products (1)
monstra/monstra < 3.0.4
Published Jan 29, 2018
Tracked Since Feb 18, 2026