This exploit demonstrates an authenticated arbitrary file upload vulnerability in Cart Engine 3.0.0, allowing remote code execution by uploading a malicious PHP script via multiple modules. The uploaded file can be executed to achieve command execution on the target system.
Classification
Working Poc 100%
Target:
Cart Engine 3.0.0
Auth required
Prerequisites:
Authenticated user with 'Regular' or 'Editor' privileges · Access to vulnerable modules (qBanner, File Manager, Slideshow, Categories)