CVE-2018-25162 HIGH

CVE-2018-25162: 2-Plan Team 1.0.4 Arbitrary File Upload via managefile.php

Vendor 2-Plan

Product Plan Team

Weakness CWE-434 · Unrestricted file upload

Published March 6, 2026

Last update March 9, 2026

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

2-Plan Team 1.0.4 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload executable PHP files by sending multipart form data to managefile.php. Attackers can upload PHP files through the userfile1 parameter with action=upload, which are stored in the files directory and executed by the web server for remote code execution.

Key dates

Disclosure timeline

March 6, 2026 CVE published

March 9, 2026 Record updated