CVE-2025-5497
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code through deserialization of untrusted data in phpwcms's Feedimport module. Attackers can exploit this by manipulating the cnt_text parameter to achieve remote code execution. All users running affected versions of slackero phpwcms are vulnerable.
💻 Affected Systems
- slackero phpwcms
📦 What is this software?
Phpwcms by Phpwcms
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with remote code execution leading to data theft, ransomware deployment, or creation of persistent backdoors.
Likely Case
Remote code execution allowing attackers to deface websites, steal sensitive data, or use the server for malicious activities.
If Mitigated
Limited impact if proper input validation and deserialization controls are in place, but still potentially exploitable.
🎯 Exploit Status
Exploit is publicly available and can be executed remotely without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.46 and 1.10.9
Vendor Advisory: https://github.com/slackero/phpwcss/releases/tag/v1.10.9
Restart Required: No
Instructions:
1. Backup your current installation. 2. Download the patched version from the official repository. 3. Replace affected files with patched versions. 4. Verify the patch is applied by checking the file hash matches the commit 41a72eca0baa9d9d0214fec97db2400bc082d2a9.
🔧 Temporary Workarounds
Disable Feedimport Module
linuxTemporarily disable the vulnerable Feedimport module to prevent exploitation.
mv include/inc_module/mod_feedimport include/inc_module/mod_feedimport.disabled
Input Validation Filter
allAdd input validation to sanitize cnt_text parameter before processing.
Add validation in processing.inc.php to filter or reject malicious input
🧯 If You Can't Patch
- Implement strict WAF rules to block requests containing serialized objects in cnt_text parameter.
- Restrict network access to the phpwcms instance and monitor for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check if your phpwcms version is 1.9.45 or earlier, or 1.10.8 or earlier, and if the Feedimport module is present.Check Version:
Check the version in the phpwcms configuration files or admin panel.Verify Fix Applied:
Verify that the file include/inc_module/mod_feedimport/inc/processing.inc.php has been updated with the patch from commit 41a72eca0baa9d9d0214fec97db2400bc082d2a9.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to feedimport endpoints with serialized data in cnt_text parameter
- PHP errors related to deserialization
Network Indicators:
- HTTP requests containing serialized PHP objects in parameters
- Traffic to feedimport module from unexpected sources
SIEM Query:
source="web_logs" AND (uri="*feedimport*" AND post_data="*cnt_text*" AND post_data="*O:*")🔗 References
- https://github.com/3em0/cve_repo/blob/main/phpwcms/phar%20vulnerability%20in%20phpwcms.md
- https://github.com/slackero/phpwcms/commit/41a72eca0baa9d9d0214fec97db2400bc082d2a9
- https://github.com/slackero/phpwcms/releases/tag/v1.10.9
- https://vuldb.com/?ctiid.310912
- https://vuldb.com/?id.310912
- https://vuldb.com/?submit.577999
- https://github.com/3em0/cve_repo/blob/main/phpwcms/phar%20vulnerability%20in%20phpwcms.md
