Home

Description

PopojiCMS 2.0.1 contains an authenticated remote command execution vulnerability that allows administrative users to inject malicious PHP code through the metadata settings endpoint. Attackers can log in and modify the meta content to create a web shell that executes arbitrary system commands through a GET parameter.

PUBLISHED Reserved 2025-12-10 | Published 2025-12-10 | Updated 2025-12-11 | Assigner VulnCheck




HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-94 Improper Control of Generation of Code ('Code Injection')

Product status

Default status
unaffected

2.0.1
affected

Credits

Ahmet Ümit BAYRAM finder

References

github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip exploit

www.exploit-db.com/exploits/52022 (ExploitDB-52022) exploit

www.popojicms.org/ (Official Vendor Homepage) vendor-advisory product

github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip (Product Archive) product

github.com/PopojiCMS/PopojiCMS (Project Repository) product

www.vulncheck.com/...ion-via-authenticated-metadata-settings (VulnCheck Advisory: PopojiCMS 2.0.1 Remote Command Execution via Authenticated Metadata Settings) third-party-advisory

cve.org (CVE-2024-58284)

nvd.nist.gov (CVE-2024-58284)

Download JSON