CVE-2019-10652

HIGH

flatcore 1.4.7 - Authenticated Arbitrary PHP File Upload via Addons Feature

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-10652. PoCs published by CodeSecLab.

AI-analyzed exploit summary This exploit demonstrates an arbitrary file upload vulnerability in flatCore CMS 1.5.5, allowing authenticated attackers to upload malicious PHP files and achieve remote code execution (RCE). The PoC includes detailed steps for intercepting and modifying upload requests to bypass restrictions.

Description

An issue was discovered in flatCore 1.4.7. acp/acp.php allows remote authenticated administrators to upload arbitrary .php files, related to the addons feature.

Exploits (1)

exploitdb WORKING POC

by CodeSecLab · textwebappsphp

https://www.exploit-db.com/exploits/52165

View Code ZIP pw:eip

This exploit demonstrates an arbitrary file upload vulnerability in flatCore CMS 1.5.5, allowing authenticated attackers to upload malicious PHP files and achieve remote code execution (RCE). The PoC includes detailed steps for intercepting and modifying upload requests to bypass restrictions.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: flatCore CMS 1.5.5

Auth required

Prerequisites: Valid administrative credentials · CSRF token · PHP session ID

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1204 - User Execution T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/flatCore/flatCore-CMS/issues/38

Scores

CVSS v3 7.2

EPSS 0.0827

EPSS Percentile 92.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

flatcore/flatcore 1.4.7

Published Mar 30, 2019

Tracked Since Feb 18, 2026