CVE-2024-58284 PUBLISHED

PopojiCMS 2.0.1 Remote Command Execution via Authenticated Metadata Settings

Assigner: VulnCheck
Reserved: 10.12.2025 Published: 10.12.2025 Updated: 11.12.2025

PopojiCMS 2.0.1 contains an authenticated remote command execution vulnerability that allows administrative users to inject malicious PHP code through the metadata settings endpoint. Attackers can log in and modify the meta content to create a web shell that executes arbitrary system commands through a GET parameter.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.6

Product Status

Vendor PopojiCMS
Product PopojiCMS
Versions Default: unaffected
  • Version 2.0.1 is affected

Credits

  • Ahmet Ümit BAYRAM finder

References

Problem Types

  • CWE-94 Improper Control of Generation of Code ('Code Injection') CWE