CVE-2025-5497 (GCVE-0-2025-5497)
Vulnerability from cvelistv5 – Published: 2025-06-03 13:00 – Updated: 2025-08-20 08:53
VLAI?
Title
slackero phpwcms Feedimport processing.inc.php deserialization
Summary
A vulnerability was detected in slackero phpwcms up to 1.9.45/1.10.8. The impacted element is an unknown function of the file include/inc_module/mod_feedimport/inc/processing.inc.php of the component Feedimport Module. Performing manipulation of the argument cnt_text results in deserialization. The attack can be initiated remotely. The exploit is now public and may be used. Upgrading to version 1.9.46 and 1.10.9 is sufficient to resolve this issue. The patch is named 41a72eca0baa9d9d0214fec97db2400bc082d2a9. It is recommended to upgrade the affected component.
Severity ?
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| slackero | phpwcms |
Affected:
1.9.0
Affected: 1.9.1 Affected: 1.9.2 Affected: 1.9.3 Affected: 1.9.4 Affected: 1.9.5 Affected: 1.9.6 Affected: 1.9.7 Affected: 1.9.8 Affected: 1.9.9 Affected: 1.9.10 Affected: 1.9.11 Affected: 1.9.12 Affected: 1.9.13 Affected: 1.9.14 Affected: 1.9.15 Affected: 1.9.16 Affected: 1.9.17 Affected: 1.9.18 Affected: 1.9.19 Affected: 1.9.20 Affected: 1.9.21 Affected: 1.9.22 Affected: 1.9.23 Affected: 1.9.24 Affected: 1.9.25 Affected: 1.9.26 Affected: 1.9.27 Affected: 1.9.28 Affected: 1.9.29 Affected: 1.9.30 Affected: 1.9.31 Affected: 1.9.32 Affected: 1.9.33 Affected: 1.9.34 Affected: 1.9.35 Affected: 1.9.36 Affected: 1.9.37 Affected: 1.9.38 Affected: 1.9.39 Affected: 1.9.40 Affected: 1.9.41 Affected: 1.9.42 Affected: 1.9.43 Affected: 1.9.44 Affected: 1.9.45 Affected: 1.10.0 Affected: 1.10.1 Affected: 1.10.2 Affected: 1.10.3 Affected: 1.10.4 Affected: 1.10.5 Affected: 1.10.6 Affected: 1.10.7 Affected: 1.10.8 Unaffected: 1.9.46 Unaffected: 1.10.9 |
Credits
Dem0 (VulDB User)
huuhungn (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5497",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-03T14:45:18.581475Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T14:45:34.792Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/3em0/cve_repo/blob/main/phpwcms/phar%20vulnerability%20in%20phpwcms.md"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Feedimport Module"
],
"product": "phpwcms",
"vendor": "slackero",
"versions": [
{
"status": "affected",
"version": "1.9.0"
},
{
"status": "affected",
"version": "1.9.1"
},
{
"status": "affected",
"version": "1.9.2"
},
{
"status": "affected",
"version": "1.9.3"
},
{
"status": "affected",
"version": "1.9.4"
},
{
"status": "affected",
"version": "1.9.5"
},
{
"status": "affected",
"version": "1.9.6"
},
{
"status": "affected",
"version": "1.9.7"
},
{
"status": "affected",
"version": "1.9.8"
},
{
"status": "affected",
"version": "1.9.9"
},
{
"status": "affected",
"version": "1.9.10"
},
{
"status": "affected",
"version": "1.9.11"
},
{
"status": "affected",
"version": "1.9.12"
},
{
"status": "affected",
"version": "1.9.13"
},
{
"status": "affected",
"version": "1.9.14"
},
{
"status": "affected",
"version": "1.9.15"
},
{
"status": "affected",
"version": "1.9.16"
},
{
"status": "affected",
"version": "1.9.17"
},
{
"status": "affected",
"version": "1.9.18"
},
{
"status": "affected",
"version": "1.9.19"
},
{
"status": "affected",
"version": "1.9.20"
},
{
"status": "affected",
"version": "1.9.21"
},
{
"status": "affected",
"version": "1.9.22"
},
{
"status": "affected",
"version": "1.9.23"
},
{
"status": "affected",
"version": "1.9.24"
},
{
"status": "affected",
"version": "1.9.25"
},
{
"status": "affected",
"version": "1.9.26"
},
{
"status": "affected",
"version": "1.9.27"
},
{
"status": "affected",
"version": "1.9.28"
},
{
"status": "affected",
"version": "1.9.29"
},
{
"status": "affected",
"version": "1.9.30"
},
{
"status": "affected",
"version": "1.9.31"
},
{
"status": "affected",
"version": "1.9.32"
},
{
"status": "affected",
"version": "1.9.33"
},
{
"status": "affected",
"version": "1.9.34"
},
{
"status": "affected",
"version": "1.9.35"
},
{
"status": "affected",
"version": "1.9.36"
},
{
"status": "affected",
"version": "1.9.37"
},
{
"status": "affected",
"version": "1.9.38"
},
{
"status": "affected",
"version": "1.9.39"
},
{
"status": "affected",
"version": "1.9.40"
},
{
"status": "affected",
"version": "1.9.41"
},
{
"status": "affected",
"version": "1.9.42"
},
{
"status": "affected",
"version": "1.9.43"
},
{
"status": "affected",
"version": "1.9.44"
},
{
"status": "affected",
"version": "1.9.45"
},
{
"status": "affected",
"version": "1.10.0"
},
{
"status": "affected",
"version": "1.10.1"
},
{
"status": "affected",
"version": "1.10.2"
},
{
"status": "affected",
"version": "1.10.3"
},
{
"status": "affected",
"version": "1.10.4"
},
{
"status": "affected",
"version": "1.10.5"
},
{
"status": "affected",
"version": "1.10.6"
},
{
"status": "affected",
"version": "1.10.7"
},
{
"status": "affected",
"version": "1.10.8"
},
{
"status": "unaffected",
"version": "1.9.46"
},
{
"status": "unaffected",
"version": "1.10.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dem0 (VulDB User)"
},
{
"lang": "en",
"type": "analyst",
"value": "huuhungn (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in slackero phpwcms up to 1.9.45/1.10.8. The impacted element is an unknown function of the file include/inc_module/mod_feedimport/inc/processing.inc.php of the component Feedimport Module. Performing manipulation of the argument cnt_text results in deserialization. The attack can be initiated remotely. The exploit is now public and may be used. Upgrading to version 1.9.46 and 1.10.9 is sufficient to resolve this issue. The patch is named 41a72eca0baa9d9d0214fec97db2400bc082d2a9. It is recommended to upgrade the affected component."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in slackero phpwcms bis 1.9.45/1.10.8 gefunden. Es ist betroffen eine unbekannte Funktion der Datei include/inc_module/mod_feedimport/inc/processing.inc.php der Komponente Feedimport Module. Dank der Manipulation des Arguments cnt_text mit unbekannten Daten kann eine deserialization-Schwachstelle ausgenutzt werden. Es ist m\u00f6glich, den Angriff aus der Ferne durchzuf\u00fchren. Die Schwachstelle wurde \u00f6ffentlich offengelegt und k\u00f6nnte ausgenutzt werden. Ein Upgrade auf Version 1.9.46 and 1.10.9 ist in der Lage, dieses Problem zu adressieren. Der Patch tr\u00e4gt den Namen 41a72eca0baa9d9d0214fec97db2400bc082d2a9. Es wird geraten, die betroffene Komponente zu aktualisieren."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T08:53:07.592Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-310912 | slackero phpwcms Feedimport processing.inc.php deserialization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.310912"
},
{
"name": "VDB-310912 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.310912"
},
{
"name": "Submit #577999 | phpwcms 1.10.8 phar deserialization vulnerability",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.577999"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/3em0/cve_repo/blob/main/phpwcms/phar%20vulnerability%20in%20phpwcms.md"
},
{
"tags": [
"patch"
],
"url": "https://github.com/slackero/phpwcms/commit/41a72eca0baa9d9d0214fec97db2400bc082d2a9"
},
{
"tags": [
"patch"
],
"url": "https://github.com/slackero/phpwcms/releases/tag/v1.10.9"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-03T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-06-03T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-20T10:57:36.000Z",
"value": "VulDB entry last update"
}
],
"title": "slackero phpwcms Feedimport processing.inc.php deserialization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-5497",
"datePublished": "2025-06-03T13:00:16.567Z",
"dateReserved": "2025-06-03T05:14:32.944Z",
"dateUpdated": "2025-08-20T08:53:07.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-5497\",\"sourceIdentifier\":\"cna@vuldb.com\",\"published\":\"2025-06-03T13:15:21.310\",\"lastModified\":\"2025-08-20T09:15:28.213\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability was detected in slackero phpwcms up to 1.9.45/1.10.8. The impacted element is an unknown function of the file include/inc_module/mod_feedimport/inc/processing.inc.php of the component Feedimport Module. Performing manipulation of the argument cnt_text results in deserialization. The attack can be initiated remotely. The exploit is now public and may be used. Upgrading to version 1.9.46 and 1.10.9 is sufficient to resolve this issue. The patch is named 41a72eca0baa9d9d0214fec97db2400bc082d2a9. It is recommended to upgrade the affected component.\"},{\"lang\":\"es\",\"value\":\"Se encontr\u00f3 una vulnerabilidad en slackero phpwcms hasta la versi\u00f3n 1.9.45/1.10.8. Se ha declarado cr\u00edtica. Esta vulnerabilidad afecta al c\u00f3digo desconocido del archivo include/inc_module/mod_feedimport/inc/processing.inc.php del componente Feedimport Module. La manipulaci\u00f3n del argumento cnt_text provoca la deserializaci\u00f3n. El ataque puede ejecutarse en remoto. Se ha hecho p\u00fablico el exploit y puede que sea utilizado. Actualizar a las versiones 1.9.46 y 1.10.9 puede solucionar este problema. Se recomienda actualizar el componente afectado.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":3.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":6.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"},{\"lang\":\"en\",\"value\":\"CWE-502\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:phpwcms:phpwcms:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.10.8\",\"matchCriteriaId\":\"6F992C50-311D-4BD2-9410-F53E6FCC5CBB\"}]}]}],\"references\":[{\"url\":\"https://github.com/3em0/cve_repo/blob/main/phpwcms/phar%20vulnerability%20in%20phpwcms.md\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/slackero/phpwcms/commit/41a72eca0baa9d9d0214fec97db2400bc082d2a9\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://github.com/slackero/phpwcms/releases/tag/v1.10.9\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://vuldb.com/?ctiid.310912\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Permissions Required\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://vuldb.com/?id.310912\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://vuldb.com/?submit.577999\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://github.com/3em0/cve_repo/blob/main/phpwcms/phar%20vulnerability%20in%20phpwcms.md\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-5497\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-03T14:45:18.581475Z\"}}}], \"references\": [{\"url\": \"https://github.com/3em0/cve_repo/blob/main/phpwcms/phar%20vulnerability%20in%20phpwcms.md\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-03T14:45:28.330Z\"}}], \"cna\": {\"title\": \"slackero phpwcms Feedimport processing.inc.php deserialization\", \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Dem0 (VulDB User)\"}, {\"lang\": \"en\", \"type\": \"analyst\", \"value\": \"huuhungn (VulDB User)\"}], \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P\"}}, {\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 6.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C\"}}, {\"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 6.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C\"}}, {\"cvssV2_0\": {\"version\": \"2.0\", \"baseScore\": 6.5, \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C\"}}], \"affected\": [{\"vendor\": \"slackero\", \"modules\": [\"Feedimport Module\"], \"product\": \"phpwcms\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.9.0\"}, {\"status\": \"affected\", \"version\": \"1.9.1\"}, {\"status\": \"affected\", \"version\": \"1.9.2\"}, {\"status\": \"affected\", \"version\": \"1.9.3\"}, {\"status\": \"affected\", \"version\": \"1.9.4\"}, {\"status\": \"affected\", \"version\": \"1.9.5\"}, {\"status\": \"affected\", \"version\": \"1.9.6\"}, {\"status\": \"affected\", \"version\": \"1.9.7\"}, {\"status\": \"affected\", \"version\": \"1.9.8\"}, {\"status\": \"affected\", \"version\": \"1.9.9\"}, {\"status\": \"affected\", \"version\": \"1.9.10\"}, {\"status\": \"affected\", \"version\": \"1.9.11\"}, {\"status\": \"affected\", \"version\": \"1.9.12\"}, {\"status\": \"affected\", \"version\": \"1.9.13\"}, {\"status\": \"affected\", \"version\": \"1.9.14\"}, {\"status\": \"affected\", \"version\": \"1.9.15\"}, {\"status\": \"affected\", \"version\": \"1.9.16\"}, {\"status\": \"affected\", \"version\": \"1.9.17\"}, {\"status\": \"affected\", \"version\": \"1.9.18\"}, {\"status\": \"affected\", \"version\": \"1.9.19\"}, {\"status\": \"affected\", \"version\": \"1.9.20\"}, {\"status\": \"affected\", \"version\": \"1.9.21\"}, {\"status\": \"affected\", \"version\": \"1.9.22\"}, {\"status\": \"affected\", \"version\": \"1.9.23\"}, {\"status\": \"affected\", \"version\": \"1.9.24\"}, {\"status\": \"affected\", \"version\": \"1.9.25\"}, {\"status\": \"affected\", \"version\": \"1.9.26\"}, {\"status\": \"affected\", \"version\": \"1.9.27\"}, {\"status\": \"affected\", \"version\": \"1.9.28\"}, {\"status\": \"affected\", \"version\": \"1.9.29\"}, {\"status\": \"affected\", \"version\": \"1.9.30\"}, {\"status\": \"affected\", \"version\": \"1.9.31\"}, {\"status\": \"affected\", \"version\": \"1.9.32\"}, {\"status\": \"affected\", \"version\": \"1.9.33\"}, {\"status\": \"affected\", \"version\": \"1.9.34\"}, {\"status\": \"affected\", \"version\": \"1.9.35\"}, {\"status\": \"affected\", \"version\": \"1.9.36\"}, {\"status\": \"affected\", \"version\": \"1.9.37\"}, {\"status\": \"affected\", \"version\": \"1.9.38\"}, {\"status\": \"affected\", \"version\": \"1.9.39\"}, {\"status\": \"affected\", \"version\": \"1.9.40\"}, {\"status\": \"affected\", \"version\": \"1.9.41\"}, {\"status\": \"affected\", \"version\": \"1.9.42\"}, {\"status\": \"affected\", \"version\": \"1.9.43\"}, {\"status\": \"affected\", \"version\": \"1.9.44\"}, {\"status\": \"affected\", \"version\": \"1.9.45\"}, {\"status\": \"affected\", \"version\": \"1.10.0\"}, {\"status\": \"affected\", \"version\": \"1.10.1\"}, {\"status\": \"affected\", \"version\": \"1.10.2\"}, {\"status\": \"affected\", \"version\": \"1.10.3\"}, {\"status\": \"affected\", \"version\": \"1.10.4\"}, {\"status\": \"affected\", \"version\": \"1.10.5\"}, {\"status\": \"affected\", \"version\": \"1.10.6\"}, {\"status\": \"affected\", \"version\": \"1.10.7\"}, {\"status\": \"affected\", \"version\": \"1.10.8\"}, {\"status\": \"unaffected\", \"version\": \"1.9.46\"}, {\"status\": \"unaffected\", \"version\": \"1.10.9\"}]}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-06-03T00:00:00.000Z\", \"value\": \"Advisory disclosed\"}, {\"lang\": \"en\", \"time\": \"2025-06-03T02:00:00.000Z\", \"value\": \"VulDB entry created\"}, {\"lang\": \"en\", \"time\": \"2025-08-20T10:57:36.000Z\", \"value\": \"VulDB entry last update\"}], \"references\": [{\"url\": \"https://vuldb.com/?id.310912\", \"name\": \"VDB-310912 | slackero phpwcms Feedimport processing.inc.php deserialization\", \"tags\": [\"vdb-entry\", \"technical-description\"]}, {\"url\": \"https://vuldb.com/?ctiid.310912\", \"name\": \"VDB-310912 | CTI Indicators (IOB, IOC, IOA)\", \"tags\": [\"signature\", \"permissions-required\"]}, {\"url\": \"https://vuldb.com/?submit.577999\", \"name\": \"Submit #577999 | phpwcms 1.10.8 phar deserialization vulnerability\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://github.com/3em0/cve_repo/blob/main/phpwcms/phar%20vulnerability%20in%20phpwcms.md\", \"tags\": [\"exploit\"]}, {\"url\": \"https://github.com/slackero/phpwcms/commit/41a72eca0baa9d9d0214fec97db2400bc082d2a9\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/slackero/phpwcms/releases/tag/v1.10.9\", \"tags\": [\"patch\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability was detected in slackero phpwcms up to 1.9.45/1.10.8. The impacted element is an unknown function of the file include/inc_module/mod_feedimport/inc/processing.inc.php of the component Feedimport Module. Performing manipulation of the argument cnt_text results in deserialization. The attack can be initiated remotely. The exploit is now public and may be used. Upgrading to version 1.9.46 and 1.10.9 is sufficient to resolve this issue. The patch is named 41a72eca0baa9d9d0214fec97db2400bc082d2a9. It is recommended to upgrade the affected component.\"}, {\"lang\": \"de\", \"value\": \"Eine Schwachstelle wurde in slackero phpwcms bis 1.9.45/1.10.8 gefunden. Es ist betroffen eine unbekannte Funktion der Datei include/inc_module/mod_feedimport/inc/processing.inc.php der Komponente Feedimport Module. Dank der Manipulation des Arguments cnt_text mit unbekannten Daten kann eine deserialization-Schwachstelle ausgenutzt werden. Es ist m\\u00f6glich, den Angriff aus der Ferne durchzuf\\u00fchren. Die Schwachstelle wurde \\u00f6ffentlich offengelegt und k\\u00f6nnte ausgenutzt werden. Ein Upgrade auf Version 1.9.46 and 1.10.9 ist in der Lage, dieses Problem zu adressieren. Der Patch tr\\u00e4gt den Namen 41a72eca0baa9d9d0214fec97db2400bc082d2a9. Es wird geraten, die betroffene Komponente zu aktualisieren.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"Deserialization\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"shortName\": \"VulDB\", \"dateUpdated\": \"2025-08-20T08:53:07.592Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-5497\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-20T08:53:07.592Z\", \"dateReserved\": \"2025-06-03T05:14:32.944Z\", \"assignerOrgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"datePublished\": \"2025-06-03T13:00:16.567Z\", \"assignerShortName\": \"VulDB\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…