CVE-2025-5499

Summary

A vulnerability classified as critical has been found in slackero phpwcms up to 1.9.45/1.10.8. Affected is the function is_file/getimagesize of the file image_resized.php. The manipulation of the argument imgfile leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.9.46 and 1.10.9 is able to address this issue. It is recommended to upgrade the affected component.

Affected Software

VendorProductVersion RangeStatus
slackerophpwcms1.9.0affected
slackerophpwcms1.9.1affected
slackerophpwcms1.9.2affected
slackerophpwcms1.9.3affected
slackerophpwcms1.9.4affected
slackerophpwcms1.9.5affected
slackerophpwcms1.9.6affected
slackerophpwcms1.9.7affected
slackerophpwcms1.9.8affected
slackerophpwcms1.9.9affected
slackerophpwcms1.9.10affected
slackerophpwcms1.9.11affected
slackerophpwcms1.9.12affected
slackerophpwcms1.9.13affected
slackerophpwcms1.9.14affected
slackerophpwcms1.9.15affected
slackerophpwcms1.9.16affected
slackerophpwcms1.9.17affected
slackerophpwcms1.9.18affected
slackerophpwcms1.9.19affected
slackerophpwcms1.9.20affected
slackerophpwcms1.9.21affected
slackerophpwcms1.9.22affected
slackerophpwcms1.9.23affected
slackerophpwcms1.9.24affected
slackerophpwcms1.9.25affected
slackerophpwcms1.9.26affected
slackerophpwcms1.9.27affected
slackerophpwcms1.9.28affected
slackerophpwcms1.9.29affected
slackerophpwcms1.9.30affected
slackerophpwcms1.9.31affected
slackerophpwcms1.9.32affected
slackerophpwcms1.9.33affected
slackerophpwcms1.9.34affected
slackerophpwcms1.9.35affected
slackerophpwcms1.9.36affected
slackerophpwcms1.9.37affected
slackerophpwcms1.9.38affected
slackerophpwcms1.9.39affected
slackerophpwcms1.9.40affected
slackerophpwcms1.9.41affected
slackerophpwcms1.9.42affected
slackerophpwcms1.9.43affected
slackerophpwcms1.9.44affected
slackerophpwcms1.9.45affected
slackerophpwcms1.10.0affected
slackerophpwcms1.10.1affected
slackerophpwcms1.10.2affected
slackerophpwcms1.10.3affected
slackerophpwcms1.10.4affected
slackerophpwcms1.10.5affected
slackerophpwcms1.10.6affected
slackerophpwcms1.10.7affected
slackerophpwcms1.10.8affected

Weaknesses

  • CWE-502: Deserialization
  • CWE-20: Improper Input Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References