CVE-2018-25409
8.8 HIGHSIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting...
Published: 2026-05-30 · Last updated: 2026-06-01
Severity and scoring
- CVSS
- 8.8 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-434
Description
SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksi_pengurus.php endpoint with module=pengurus and act=update parameters, which are stored in the foto directory and executed as web scripts.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2018-25409
- [Other]https://simpkh.sourceforge.io/
- [Other]https://sourceforge.net/projects/simpkh/files/latest/download
- [Other]https://www.exploit-db.com/exploits/45659
- [Other]https://www.vulncheck.com/advisories/sim-pkh-arbitrary-file-upload-via-aksi-pengurus-php
Related CVEs
Same CWE
- CVE-2026-40772 — Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions (10.0 CRITICAL)
- CVE-2026-39591 — Subscriber Arbitrary File Upload in WP-BusinessDirectory <= 4.0.0 versions (9.9 CRITICAL)
- CVE-2026-39527 — Subscriber Arbitrary File Upload in WpStream < 4.11.2 versions (5.4 MEDIUM)
- CVE-2018-25436 — WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated ... (9.8 CRITICAL)
- CVE-2026-5482 — Responsive FileManager's allows an unauthenticated attacker to upload files of any type and extension without restriction using dialog.ph...