{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-5498", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2025-06-03T05:14:35.178Z", "datePublished": "2025-06-03T13:31:05.263Z", "dateUpdated": "2025-06-03T13:45:36.390Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-06-03T13:31:05.263Z"}, "title": "slackero phpwcms Custom Source Tab cnt21.readform.inc.php is_file deserialization", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-502", "lang": "en", "description": "Deserialization"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-20", "lang": "en", "description": "Improper Input Validation"}]}], "affected": [{"vendor": "slackero", "product": "phpwcms", "versions": [{"version": "1.9.0", "status": "affected"}, {"version": "1.9.1", "status": "affected"}, {"version": "1.9.2", "status": "affected"}, {"version": "1.9.3", "status": "affected"}, {"version": "1.9.4", "status": "affected"}, {"version": "1.9.5", "status": "affected"}, {"version": "1.9.6", "status": "affected"}, {"version": "1.9.7", "status": "affected"}, {"version": "1.9.8", "status": "affected"}, {"version": "1.9.9", "status": "affected"}, {"version": "1.9.10", "status": "affected"}, {"version": "1.9.11", "status": "affected"}, {"version": "1.9.12", "status": "affected"}, {"version": "1.9.13", "status": "affected"}, {"version": "1.9.14", "status": "affected"}, {"version": "1.9.15", "status": "affected"}, {"version": "1.9.16", "status": "affected"}, {"version": "1.9.17", "status": "affected"}, {"version": "1.9.18", "status": "affected"}, {"version": "1.9.19", "status": "affected"}, {"version": "1.9.20", "status": "affected"}, {"version": "1.9.21", "status": "affected"}, {"version": "1.9.22", "status": "affected"}, {"version": "1.9.23", "status": "affected"}, {"version": "1.9.24", "status": "affected"}, {"version": "1.9.25", "status": "affected"}, {"version": "1.9.26", "status": "affected"}, {"version": "1.9.27", "status": "affected"}, {"version": "1.9.28", "status": "affected"}, {"version": "1.9.29", "status": "affected"}, {"version": "1.9.30", "status": "affected"}, {"version": "1.9.31", "status": "affected"}, {"version": "1.9.32", "status": "affected"}, {"version": "1.9.33", "status": "affected"}, {"version": "1.9.34", "status": "affected"}, {"version": "1.9.35", "status": "affected"}, {"version": "1.9.36", "status": "affected"}, {"version": "1.9.37", "status": "affected"}, {"version": "1.9.38", "status": "affected"}, {"version": "1.9.39", "status": "affected"}, {"version": "1.9.40", "status": "affected"}, {"version": "1.9.41", "status": "affected"}, {"version": "1.9.42", "status": "affected"}, {"version": "1.9.43", "status": "affected"}, {"version": "1.9.44", "status": "affected"}, {"version": "1.9.45", "status": "affected"}, {"version": "1.10.0", "status": "affected"}, {"version": "1.10.1", "status": "affected"}, {"version": "1.10.2", "status": "affected"}, {"version": "1.10.3", "status": "affected"}, {"version": "1.10.4", "status": "affected"}, {"version": "1.10.5", "status": "affected"}, {"version": "1.10.6", "status": "affected"}, {"version": "1.10.7", "status": "affected"}, {"version": "1.10.8", "status": "affected"}], "modules": ["Custom Source Tab"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in slackero phpwcms up to 1.9.45/1.10.8. It has been rated as critical. This issue affects the function file_get_contents/is_file of the file include/inc_lib/content/cnt21.readform.inc.php of the component Custom Source Tab. The manipulation of the argument cpage_custom leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.9.46 and 1.10.9 is able to address this issue. It is recommended to upgrade the affected component."}, {"lang": "de", "value": "Eine Schwachstelle wurde in slackero phpwcms bis 1.9.45/1.10.8 ausgemacht. Sie wurde als kritisch eingestuft. Betroffen davon ist die Funktion file_get_contents/is_file der Datei include/inc_lib/content/cnt21.readform.inc.php der Komponente Custom Source Tab. Durch das Beeinflussen des Arguments cpage_custom mit unbekannten Daten kann eine deserialization-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Ein Aktualisieren auf die Version 1.9.46 and 1.10.9 vermag dieses Problem zu l\u00f6sen. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "timeline": [{"time": "2025-06-03T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2025-06-03T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2025-06-03T07:19:44.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Dem0 (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.310913", "name": "VDB-310913 | slackero phpwcms Custom Source Tab cnt21.readform.inc.php is_file deserialization", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.310913", "name": "VDB-310913 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.578054", "name": "Submit #578054 | phpwcms 1.10.8 phar/php filter vulnerability", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/?submit.578055", "name": "Submit #578055 | phpwcms 1.10.8 phar/php filter vulnerability (Duplicate)", "tags": ["third-party-advisory"]}, {"url": "https://github.com/3em0/cve_repo/blob/main/phpwcms/cnt21.readform.inc.php%23file_get_contents.md", "tags": ["related"]}, {"url": "https://github.com/3em0/cve_repo/blob/main/phpwcms/cnt21.readform.inc.php%23is_file.md", "tags": ["exploit"]}, {"url": "https://github.com/slackero/phpwcms/releases/tag/v1.10.9", "tags": ["patch"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-03T13:45:19.219062Z", "id": "CVE-2025-5498", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-03T13:45:36.390Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5498", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-03T13:45:19.219062Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-03T13:45:25.818Z"}}], "cna": {"title": "slackero phpwcms Custom Source Tab cnt21.readform.inc.php is_file deserialization", "credits": [{"lang": "en", "type": "reporter", "value": "Dem0 (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "affected": [{"vendor": "slackero", "modules": ["Custom Source Tab"], "product": "phpwcms", "versions": [{"status": "affected", "version": "1.9.0"}, {"status": "affected", "version": "1.9.1"}, {"status": "affected", "version": "1.9.2"}, {"status": "affected", "version": "1.9.3"}, {"status": "affected", "version": "1.9.4"}, {"status": "affected", "version": "1.9.5"}, {"status": "affected", "version": "1.9.6"}, {"status": "affected", "version": "1.9.7"}, {"status": "affected", "version": "1.9.8"}, {"status": "affected", "version": "1.9.9"}, {"status": "affected", "version": "1.9.10"}, {"status": "affected", "version": "1.9.11"}, {"status": "affected", "version": "1.9.12"}, {"status": "affected", "version": "1.9.13"}, {"status": "affected", "version": "1.9.14"}, {"status": "affected", "version": "1.9.15"}, {"status": "affected", "version": "1.9.16"}, {"status": "affected", "version": "1.9.17"}, {"status": "affected", "version": "1.9.18"}, {"status": "affected", "version": "1.9.19"}, {"status": "affected", "version": "1.9.20"}, {"status": "affected", "version": "1.9.21"}, {"status": "affected", "version": "1.9.22"}, {"status": "affected", "version": "1.9.23"}, {"status": "affected", "version": "1.9.24"}, {"status": "affected", "version": "1.9.25"}, {"status": "affected", "version": "1.9.26"}, {"status": "affected", "version": "1.9.27"}, {"status": "affected", "version": "1.9.28"}, {"status": "affected", "version": "1.9.29"}, {"status": "affected", "version": "1.9.30"}, {"status": "affected", "version": "1.9.31"}, {"status": "affected", "version": "1.9.32"}, {"status": "affected", "version": "1.9.33"}, {"status": "affected", "version": "1.9.34"}, {"status": "affected", "version": "1.9.35"}, {"status": "affected", "version": "1.9.36"}, {"status": "affected", "version": "1.9.37"}, {"status": "affected", "version": "1.9.38"}, {"status": "affected", "version": "1.9.39"}, {"status": "affected", "version": "1.9.40"}, {"status": "affected", "version": "1.9.41"}, {"status": "affected", "version": "1.9.42"}, {"status": "affected", "version": "1.9.43"}, {"status": "affected", "version": "1.9.44"}, {"status": "affected", "version": "1.9.45"}, {"status": "affected", "version": "1.10.0"}, {"status": "affected", "version": "1.10.1"}, {"status": "affected", "version": "1.10.2"}, {"status": "affected", "version": "1.10.3"}, {"status": "affected", "version": "1.10.4"}, {"status": "affected", "version": "1.10.5"}, {"status": "affected", "version": "1.10.6"}, {"status": "affected", "version": "1.10.7"}, {"status": "affected", "version": "1.10.8"}]}], "timeline": [{"lang": "en", "time": "2025-06-03T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2025-06-03T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2025-06-03T07:19:44.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.310913", "name": "VDB-310913 | slackero phpwcms Custom Source Tab cnt21.readform.inc.php is_file deserialization", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.310913", "name": "VDB-310913 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.578054", "name": "Submit #578054 | phpwcms 1.10.8 phar/php filter vulnerability", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/?submit.578055", "name": "Submit #578055 | phpwcms 1.10.8 phar/php filter vulnerability (Duplicate)", "tags": ["third-party-advisory"]}, {"url": "https://github.com/3em0/cve_repo/blob/main/phpwcms/cnt21.readform.inc.php%23file_get_contents.md", "tags": ["related"]}, {"url": "https://github.com/3em0/cve_repo/blob/main/phpwcms/cnt21.readform.inc.php%23is_file.md", "tags": ["exploit"]}, {"url": "https://github.com/slackero/phpwcms/releases/tag/v1.10.9", "tags": ["patch"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in slackero phpwcms up to 1.9.45/1.10.8. It has been rated as critical. This issue affects the function file_get_contents/is_file of the file include/inc_lib/content/cnt21.readform.inc.php of the component Custom Source Tab. The manipulation of the argument cpage_custom leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.9.46 and 1.10.9 is able to address this issue. It is recommended to upgrade the affected component."}, {"lang": "de", "value": "Eine Schwachstelle wurde in slackero phpwcms bis 1.9.45/1.10.8 ausgemacht. Sie wurde als kritisch eingestuft. Betroffen davon ist die Funktion file_get_contents/is_file der Datei include/inc_lib/content/cnt21.readform.inc.php der Komponente Custom Source Tab. Durch das Beeinflussen des Arguments cpage_custom mit unbekannten Daten kann eine deserialization-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Ein Aktualisieren auf die Version 1.9.46 and 1.10.9 vermag dieses Problem zu l\u00f6sen. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "Improper Input Validation"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-06-03T13:31:05.263Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5498", "state": "PUBLISHED", "dateUpdated": "2025-06-03T13:45:36.390Z", "dateReserved": "2025-06-03T05:14:35.178Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2025-06-03T13:31:05.263Z", "assignerShortName": "VulDB"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:phpwcms:phpwcms:*:*:*:*:*:*:*:*", "matchCriteriaId": "6A6F0918-7CD4-4F0A-B7F0-FB401A92DDEA", "versionEndExcluding": "1.9.46", "vulnerable": true}, {"criteria": "cpe:2.3:a:phpwcms:phpwcms:*:*:*:*:*:*:*:*", "matchCriteriaId": "A1CA12E3-ABD9-408D-A75F-278E11B5D42E", "versionEndExcluding": "1.10.9", "versionStartIncluding": "1.10.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in slackero phpwcms up to 1.9.45/1.10.8. It has been rated as critical. This issue affects the function file_get_contents/is_file of the file include/inc_lib/content/cnt21.readform.inc.php of the component Custom Source Tab. The manipulation of the argument cpage_custom leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.9.46 and 1.10.9 is able to address this issue. It is recommended to upgrade the affected component."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en slackero phpwcms hasta la versi\u00f3n 1.9.45/1.10.8. Se ha clasificado como cr\u00edtica. Este problema afecta a la funci\u00f3n file_get_contents/is_file del archivo include/inc_lib/content/cnt21.readform.inc.php del componente Custom Source Tab. La manipulaci\u00f3n del argumento cpage_custom provoca la deserializaci\u00f3n. El ataque puede ejecutarse en remoto. Se ha hecho p\u00fablico el exploit y puede que sea utilizado. Actualizar a las versiones 1.9.46 y 1.10.9 puede solucionar este problema. Se recomienda actualizar el componente afectado."}], "id": "CVE-2025-5498", "lastModified": "2026-01-20T15:38:18.167", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2025-06-03T14:15:51.313", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/3em0/cve_repo/blob/main/phpwcms/cnt21.readform.inc.php%23file_get_contents.md"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/3em0/cve_repo/blob/main/phpwcms/cnt21.readform.inc.php%23is_file.md"}, {"source": "cna@vuldb.com", "tags": ["Release Notes"], "url": "https://github.com/slackero/phpwcms/releases/tag/v1.10.9"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.310913"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.310913"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.578054"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.578055"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-502"}], "source": "cna@vuldb.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}