The plugin upload component in Z-BlogPHP 1.5.1 allows remote malicious users to execute arbitrary PHP code via the app_id parameter to zb_users/plugin/AppCentre/plugin_edit.php because of an unanchored regular expression, a different vulnerability than CVE-2018-8893. The component must be accessed directly by an administrator, or through CSRF.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
zblogcn z-blogphp 1.5.1 |