CVE-2020-23653

CRITICAL

ThinkAdmin <6.x - Code Injection

Title source: llm

Description

An insecure unserialize vulnerability was discovered in ThinkAdmin versions 4.x through 6.x in app/admin/controller/api/Update.php and app/wechat/controller/api/Push.php, which may lead to arbitrary remote code execution.

References (1)

[Exploit, Third Party Advisory] https://github.com/zoujingli/ThinkAdmin/issues/238

Scores

CVSS v3 9.8

EPSS 0.1120

EPSS Percentile 93.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (2)

thinkadmin/thinkadmin < 6.0

zoujingli/thinkadmin < 6.1.0Packagist

Timeline

Published Jan 13, 2021

Tracked Since Feb 18, 2026