CVE-2018-9038

MEDIUM

Monstra CMS 3.0.4 - Unauthenticated Arbitrary File Deletion via Files Manager

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-9038. PoCs published by Wenming Jiang.

AI-analyzed exploit summary This exploit demonstrates an arbitrary folder deletion vulnerability in Monstra CMS 3.0.4 via a crafted GET request to the filesmanager endpoint. The attack leverages insecure permissions to delete directories without proper validation of the 'delete_dir' parameter.

Description

Monstra CMS 3.0.4 allows remote attackers to delete files via an admin/index.php?id=filesmanager&delete_dir=./&path=uploads/ request.

Exploits (1)

exploitdb WORKING POC
by Wenming Jiang · textwebappsphp
https://www.exploit-db.com/exploits/44512

This exploit demonstrates an arbitrary folder deletion vulnerability in Monstra CMS 3.0.4 via a crafted GET request to the filesmanager endpoint. The attack leverages insecure permissions to delete directories without proper validation of the 'delete_dir' parameter.

Classification
Working Poc 100%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Monstra CMS 3.0.4
Auth required
Prerequisites: Valid session cookie (PHPSESSID) · User with page editing permissions
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44512/
Third Party Advisory x_refsource_misc
https://github.com/monstra-cms/monstra/issues/434

Scores

CVSS v3 6.5
EPSS 0.0981
EPSS Percentile 95.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-22
Status published
Products (1)
monstra/monstra 3.0.4
Published Apr 10, 2018
Tracked Since Feb 18, 2026