CVE-2022-50944 Overview
CVE-2022-50944 is a PHP code injection vulnerability [CWE-94] in Aero CMS 0.0.1. The flaw resides in the admin/posts.php endpoint, which accepts file uploads through the image parameter without validating file type or content. Authenticated attackers can upload a PHP file containing arbitrary code by submitting a request with the source=add_post parameter. The server stores and executes the uploaded file, granting attackers remote code execution under the web server account.
Critical Impact
Authenticated attackers can achieve arbitrary PHP code execution on the underlying web server, leading to full compromise of the application and hosted data.
Affected Products
- Aero CMS 0.0.1
- AeroCMS GitHub repository builds derived from version 0.0.1
- Deployments exposing admin/posts.php with source=add_post
Discovery Timeline
- 2026-05-10 - CVE-2022-50944 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2022-50944
Vulnerability Analysis
The vulnerability exists in Aero CMS 0.0.1, an open-source PHP content management system. The admin/posts.php script handles new post creation when invoked with the source=add_post parameter. As part of post creation, the script accepts an uploaded file through the image parameter intended for post thumbnails. The upload handler does not enforce file extension allowlists, MIME type validation, or content inspection.
An authenticated attacker with access to the post creation function can submit a .php file in place of an image. The server writes the file to a web-accessible directory. Subsequent HTTP requests to the uploaded file cause the PHP interpreter to execute the embedded payload, yielding arbitrary code execution in the context of the web server process. The CWE-94 classification reflects the improper control of code generation during file upload handling.
Root Cause
The root cause is missing input validation on the image upload field in admin/posts.php. The handler trusts the client-supplied filename and content, writes the file into a directory served by the PHP interpreter, and never restricts uploads to image content types.
Attack Vector
Exploitation requires network access to the administrative interface and valid authenticated credentials with permission to create posts. The attacker sends a multipart POST request to admin/posts.php?source=add_post with a PHP payload in the image parameter, then requests the uploaded file URL to trigger execution. See the VulnCheck AeroCMS Advisory and Exploit-DB #51085 for the technical proof of concept.
Detection Methods for CVE-2022-50944
Indicators of Compromise
- POST requests to admin/posts.php containing source=add_post paired with uploaded files using .php, .phtml, or double extensions such as .jpg.php.
- New PHP files appearing in upload directories used by Aero CMS, particularly under images/ paths referenced by post records.
- Outbound network connections initiated by the web server process shortly after a post creation request.
Detection Strategies
- Inspect web server access logs for sequential requests that first POST to admin/posts.php?source=add_post and then GET a newly created file under the uploads directory.
- Hash and review files in writable upload directories for PHP signatures such as <?php, eval(, base64_decode(, or system(.
- Alert on web shell behavior such as the PHP interpreter spawning shells (sh, bash, cmd.exe) or executing reconnaissance commands.
Monitoring Recommendations
- Enable file integrity monitoring on the Aero CMS web root and any directory writable by the PHP process.
- Forward web server and PHP error logs to a centralized analytics platform and correlate authentication events with upload activity.
- Track admin account logins from new geographic locations or user agents that precede post creation activity.
How to Mitigate CVE-2022-50944
Immediate Actions Required
- Restrict access to admin/posts.php using network controls, IP allowlisting, or an authenticating reverse proxy until a fix is applied.
- Rotate all administrator credentials and review accounts for unauthorized additions.
- Audit the upload directory for unrecognized PHP files and remove any artifacts of exploitation.
Patch Information
No official vendor patch is referenced in the NVD entry for Aero CMS 0.0.1. Organizations should track the AeroCMS GitHub repository for updates and consider migrating away from this unmaintained application. Until a fix is available, apply the workarounds below at the web server and application layers.
Workarounds
- Configure the web server to disable PHP execution within upload directories using directives such as Apache php_flag engine off or an Nginx location block that returns the file as static content.
- Add an upload filter that validates file MIME type and extension against an allowlist of image formats and rejects requests containing executable content.
- Place the application behind a web application firewall with rules that block multipart uploads of PHP content to admin/posts.php.
# Apache: deny PHP execution inside the Aero CMS uploads directory
<Directory "/var/www/aerocms/images">
php_flag engine off
AddType text/plain .php .phtml .php3 .php4 .php5 .phps
<FilesMatch "\.(php|phtml|php[3-5]|phps)$">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
