CVE-2025-15495

MEDIUM

BiggiDroid Simple PHP CMS 1.0 - Unrestricted File Upload via Image Parameter in /admin/editsite.php

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-15495. PoCs published by Asim-QAZi.

AI-analyzed exploit summary This PoC demonstrates an arbitrary file upload vulnerability in BiggiDroid's Simple PHP Blog CMS, allowing authenticated attackers to upload a malicious PHP file disguised as an image, leading to remote code execution (RCE). The vulnerability stems from lack of file extension, MIME type, and content validation in the admin panel's logo upload functionality.

Description

A vulnerability was found in BiggiDroid Simple PHP CMS 1.0. This impacts an unknown function of the file /admin/editsite.php. The manipulation of the argument image results in unrestricted upload. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Exploits (1)

nomisec WORKING POC

by Asim-QAZi · poc

https://github.com/Asim-QAZi/RCE-Simplephpblog-biggiedroid

View Code ZIP pw:eip

This PoC demonstrates an arbitrary file upload vulnerability in BiggiDroid's Simple PHP Blog CMS, allowing authenticated attackers to upload a malicious PHP file disguised as an image, leading to remote code execution (RCE). The vulnerability stems from lack of file extension, MIME type, and content validation in the admin panel's logo upload functionality.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: BiggiDroid – Simple PHP Blog CMS

Auth required

Prerequisites: Authenticated access to the admin panel · Network access to the target server

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1204 - User Execution T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Core References

Third Party Advisory, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.340273

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.340273

Third Party Advisory, VDB Entry third-party-advisory

https://vuldb.com/?submit.725890

Third Party Advisory, VDB Entry third-party-advisory

https://vuldb.com/?submit.726040

Exploit, Issue Tracking issue-tracking

https://gitee.com/hdert/ck/issues/IDGO28

Exploit, Third Party Advisory exploit

https://github.com/Asim-QAZi/RCE-Simplephpblog-biggiedroid

Scores

CVSS v3 4.7

EPSS 0.0002

EPSS Percentile 5.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-284 CWE-434

Status published

Products (1)

biggidroid/simple_php_cms 1.0

Published Jan 09, 2026

Tracked Since Feb 18, 2026