CVE-2023-53950

CRITICAL

InnovaStudio WYSIWYG Editor 5.4 - Unrestricted File Upload

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-53950. PoCs published by Zer0FauLT.

AI-analyzed exploit summary This exploit demonstrates an unrestricted file upload vulnerability in InnovaStudio WYSIWYG Editor 5.4 by bypassing file extension restrictions via null byte injection. It allows uploading a malicious ASP file to achieve remote code execution.

Description

InnovaStudio WYSIWYG Editor 5.4 contains an unrestricted file upload vulnerability that allows attackers to bypass file extension restrictions through filename manipulation. Attackers can upload malicious ASP shells by using null byte techniques and alternate file extensions to circumvent upload controls in the asset manager.

Exploits (1)

exploitdb WORKING POC

by Zer0FauLT · textwebappsasp

https://www.exploit-db.com/exploits/51362

View Code ZIP pw:eip

This exploit demonstrates an unrestricted file upload vulnerability in InnovaStudio WYSIWYG Editor 5.4 by bypassing file extension restrictions via null byte injection. It allows uploading a malicious ASP file to achieve remote code execution.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: InnovaStudio WYSIWYG Editor <= 5.4

No auth needed

Prerequisites: Access to the asset manager upload endpoint · Ability to send crafted HTTP requests

MITRE ATT&CK

T1133 - External Remote Services T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/51362

Various Sources product

https://innovastudio.com

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/innovastudio-wysiwyg-editor-unrestricted-file-upload-via-filename-manipulation

Scores

CVSS v3 9.8

EPSS 0.0056

EPSS Percentile 41.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

innovastudio/WYSIWYG Editor < 5.4

Published Dec 19, 2025

Tracked Since Feb 18, 2026