CVE-2019-8908

CRITICAL

WTCMS 1.0 - RCE

Title source: llm

Description

An issue was discovered in WTCMS 1.0. It allows remote attackers to execute arbitrary PHP code by going to the "Setting -> Mailbox configuration -> Registration email template" screen, and uploading an image file, as demonstrated by a .php filename and the "Content-Type: image/gif" header.

References (1)

[Exploit, Third Party Advisory] https://github.com/taosir/wtcms/issues/3

Scores

CVSS v3 9.8

EPSS 0.0084

EPSS Percentile 74.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-706

Status published

Affected Products (1)

wtcms_project/wtcms

Timeline

Published Feb 18, 2019

Tracked Since Feb 18, 2026