CVE-2025-5498 MEDIUM

CVE-2025-5498: slackero phpwcms Custom Source Tab cnt21.readform.inc.php is_file deserialization

Vendor Slackero
Product phpwcms
Weakness CWE-502 · Unsafe deserialization
Published June 3, 2025
Last update June 3, 2025

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A vulnerability was found in slackero phpwcms up to 1.9.45/1.10.8. It has been rated as critical. This issue affects the function file_get_contents/is_file of the file include/inc_lib/content/cnt21.readform.inc.php of the component Custom Source Tab. The manipulation of the argument cpage_custom leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.9.46 and 1.10.9 is able to address this issue. It is recommended to upgrade the affected component.

Key dates

02Disclosure timeline

June 3, 2025 CVE published
June 3, 2025 Record updated

Related vulnerabilities

04Related CVE