GHSA-hv78-cwp4-8r7r

Details

The application's restore function allows users to upload a .zip file, which is then automatically extracted. A PHP file inside the archive is included using require_once without validating or restricting the filename. An attacker can craft a malicious PHP file within the zip and achieve arbitrary code execution when it is included.

Vector: Malicious ZIP upload + insecure require_once

PoC

1. Restore backup
2. Load file shell (insecure require_once)

Impact

Remote Code Execution (RCE)