CVE-2025-13061 – CVE-2025-13061 is an unrestricted file upload v... (How to Fix)

Q: What is the severity of CVE-2025-13061?

CVE-2025-13061 has a CVSS score of 6.3 (MEDIUM). CVE-2025-13061 is an unrestricted file upload vulnerability in itsourcecode Online Voting System 1.0 that allows attackers to upload malicious files to the /index.php?page=manage_voting endpoint. This can lead to remote code execution or system compromise. Organizations using this specific voting system version are affected.

📋 TL;DR

CVE-2025-13061 is an unrestricted file upload vulnerability in itsourcecode Online Voting System 1.0 that allows attackers to upload malicious files to the /index.php?page=manage_voting endpoint. This can lead to remote code execution or system compromise. Organizations using this specific voting system version are affected.

💻 Affected Systems

Products:

itsourcecode Online Voting System

Versions: 1.0

Operating Systems: Any OS running PHP web server

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the specific voting system from itsourcecode.com, not other voting systems.

📦 What is this software?

Online Voting System by Angeljudesuarez

View all CVEs affecting Online Voting System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through remote code execution, allowing attackers to steal data, deploy ransomware, or pivot to other systems.

🟠

Likely Case

Webshell deployment leading to data theft, defacement, or use as a foothold for further attacks.

🟢

If Mitigated

Limited impact if file uploads are blocked at network perimeter or web application firewall.

🌐 Internet-Facing: HIGH - Attack can be carried out remotely without authentication, making internet-facing instances extremely vulnerable.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but require network access, reducing exposure.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit available on GitHub, simple file upload manipulation required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://itsourcecode.com/

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative voting system or implementing workarounds.

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block file uploads to /index.php?page=manage_voting endpoint

WAF specific - configure rule to block POST requests with file uploads to vulnerable path

File Upload Restriction

linux

Implement server-side file type validation and restrict upload directory permissions

chmod 755 upload_directory/
Configure PHP to only allow specific file extensions

🧯 If You Can't Patch

Isolate the voting system on separate network segment with strict firewall rules
Implement application-level input validation and file type checking

🔍 How to Verify

Check if Vulnerable:

Attempt to upload a test file (e.g., test.txt) to /index.php?page=manage_voting and check if it's accepted without proper validation

Check Version:

Check system documentation or admin panel for version information

Verify Fix Applied:

Test file upload with various extensions; only allowed file types should be accepted

📡 Detection & Monitoring

Log Indicators:

Multiple file upload attempts to manage_voting endpoint
Uploads of suspicious file types (.php, .exe, .sh)

Network Indicators:

POST requests with file uploads to vulnerable endpoint
Unusual outbound connections from web server

SIEM Query:

source="web_server" AND uri="/index.php?page=manage_voting" AND method="POST" AND content_type="multipart/form-data"

📊 Metadata

CVE ID: CVE-2025-13061

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-284

EPSS Score: 0.05% exploit probability (14.8th percentile)

Published: November 12, 2025

Last Updated: November 17, 2025

🔗 References

https://github.com/yihaofuweng/cve/issues/55 Exploit,Issue Tracking,Third Party Advisory
https://itsourcecode.com/ Product
https://vuldb.com/?ctiid.332188 Permissions Required,VDB Entry
https://vuldb.com/?id.332188 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.682587 Third Party Advisory,VDB Entry
https://github.com/yihaofuweng/cve/issues/55 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13061, you might also want to check these: