CVE-2021-36426 – This CVE describes a remote code execution vuln... (How to Fix)

Q: What is the severity of CVE-2021-36426?

CVE-2021-36426 has a CVSS score of 8.8 (HIGH). This CVE describes a remote code execution vulnerability in phpwcms where attackers can upload malicious files to execute arbitrary code on the server. It affects phpwcms 1.9.25 installations with default configurations. Attackers can compromise the entire web application and underlying server.

📋 TL;DR

This CVE describes a remote code execution vulnerability in phpwcms where attackers can upload malicious files to execute arbitrary code on the server. It affects phpwcms 1.9.25 installations with default configurations. Attackers can compromise the entire web application and underlying server.

💻 Affected Systems

Products:

phpwcms

Versions: 1.9.25

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects default installations without additional file upload restrictions.

📦 What is this software?

Phpwcms by Phpwcms

View all CVEs affecting Phpwcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing data theft, malware deployment, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Webshell installation leading to website defacement, data exfiltration, and use as attack platform.

🟢

If Mitigated

Limited impact with proper file upload restrictions and web application firewalls blocking malicious uploads.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple file upload exploitation with public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.26

Vendor Advisory: https://github.com/slackero/phpwcms/issues/312

Restart Required: No

Instructions:

1. Backup your phpwcms installation and database. 2. Download phpwcms 1.9.26 or later. 3. Replace all files except config files and upload directories. 4. Verify functionality.

🔧 Temporary Workarounds

Restrict File Upload Directory

linux

Set proper permissions on include/inc_lib/general.inc.php directory to prevent file uploads

chmod 644 include/inc_lib/general.inc.php
chown root:root include/inc_lib/general.inc.php

Web Application Firewall Rule

all

Block requests to include/inc_lib/general.inc.php with file upload content

🧯 If You Can't Patch

Implement strict file upload validation allowing only specific file types
Disable file upload functionality entirely if not required

🔍 How to Verify

Check if Vulnerable:

Check if phpwcms version is 1.9.25 by examining version.php or admin interface

Check Version:

grep -r 'phpwcms_version' ./*.php 2>/dev/null || cat version.php

Verify Fix Applied:

Verify version is 1.9.26 or later and test file upload functionality with restricted types

📡 Detection & Monitoring

Log Indicators:

File upload attempts to include/inc_lib/general.inc.php
Unusual file creation in web directories
POST requests with file uploads to unusual paths

Network Indicators:

HTTP POST requests with file uploads to include/inc_lib/general.inc.php
Unusual outbound connections from web server

SIEM Query:

source="web_logs" AND (uri="*include/inc_lib/general.inc.php*" AND method="POST")

📊 Metadata

CVE ID: CVE-2021-36426

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: February 3, 2023

Last Updated: March 26, 2025

🔗 References

https://github.com/slackero/phpwcms/issues/312 Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/slackero/phpwcms/issues/312 Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36426, you might also want to check these: