CVE-2025-54473 CRITICAL

CVE-2025-54473: Extension - phoca.cz - Authenticated RCE vulnerability in Phoca Commander component 1.0.0-4.0.0 and 5.0.0-5.0.1 for Joomla

Vendor Phoca.cz
Product phoca.cz - Phoca Commander for Joomla
Weakness CWE-434 · Unrestricted file upload
Published August 15, 2025
Last update August 15, 2025

CVSS base score

9.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:N/SA:N/S:N/AU:N/RE:L/U:Clear

What the vulnerability does

01Description

An authenticated RCE vulnerability in Phoca Commander component 1.0.0-4.0.0 and 5.0.0-5.0.1 for Joomla was discovered. The issue allows code execution via the unzip feature.

Explanation of Vulnerability in Simple Terms

02Summary

Phoca Commander for Joomla versions 5.0.0 through 5.0.1 contain an unrestricted file upload vulnerability. An authenticated administrator can upload files without proper validation, potentially allowing them to place malicious files on the server. This could lead to unauthorized code execution or site compromise depending on where files are stored and how the web server processes them.

What an attacker can do

03Attacker Capabilities

Upload files to the server without proper validation or restrictions.

Potential impact on your site

04Site Impact

An admin account could be compromised to upload and execute malicious code, leading to full site takeover.

Conditions required to exploit

05Prerequisites

Attacker must have administrator-level access to the Joomla site.

Key dates

06Disclosure timeline

August 15, 2025 CVE published
August 15, 2025 Record updated

Related vulnerabilities

08Related CVE