Login Sign Up

CVE-2025-15262

4.7 MEDIUM

📋 TL;DR

BiggiDroid Simple PHP CMS 1.0 has an unrestricted file upload vulnerability in the Site Logo Handler component. Attackers can upload malicious files via the /admin/edit.php file's image parameter, potentially leading to remote code execution. This affects all installations of BiggiDroid Simple PHP CMS 1.0.

💻 Affected Systems

Products:
  • BiggiDroid Simple PHP CMS
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the /admin/edit.php file specifically in the Site Logo Handler component. Requires admin access to exploit.

📦 What is this software?

Simple Php Cms by Biggidroid

View all CVEs affecting Simple Php Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker uploads a web shell, gains full control of the web server, and pivots to internal network systems.

🟠

Likely Case

Attacker uploads malicious PHP files to execute arbitrary code, deface websites, or steal data from the CMS database.

🟢

If Mitigated

If proper file upload validation is implemented, only legitimate image files can be uploaded, preventing code execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit details are publicly available. Attack requires admin authentication but is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Implement File Upload Validation

all

Add server-side validation to restrict uploaded files to specific image types (e.g., .jpg, .png) and verify file signatures.

Modify /admin/edit.php to include file type checking and MIME validation

Restrict Access to Admin Panel

linux

Limit access to the /admin directory using IP whitelisting or strong authentication mechanisms.

Add .htaccess rules to restrict IPs: Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24

🧯 If You Can't Patch

  • Disable the Site Logo Handler functionality entirely if not needed.
  • Implement a Web Application Firewall (WAF) with rules to block malicious file uploads.

🔍 How to Verify

Check if Vulnerable:

Check if /admin/edit.php exists and lacks proper file upload validation for the image parameter.

Check Version:

Check CMS version in configuration files or admin panel; look for 'BiggiDroid Simple PHP CMS 1.0'.

Verify Fix Applied:

Attempt to upload a non-image file via /admin/edit.php; it should be rejected with proper error messages.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to /admin/edit.php, especially non-image files or files with executable extensions.

Network Indicators:

  • HTTP POST requests to /admin/edit.php with file uploads containing suspicious content.

SIEM Query:

source="web_logs" AND uri="/admin/edit.php" AND method="POST" AND (file_extension="php" OR file_extension="exe")

📊 Metadata

CVE ID: CVE-2025-15262
CVSS v3 Score: 4.7 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-284
EPSS Score: 0.05% exploit probability (16th percentile)
Published: December 30, 2025
Last Updated: February 24, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15262, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)