CVE-2025-5498: Phpwcms RCE Vulnerability

CVE-2025-5498 Overview

CVE-2025-5498 is an insecure deserialization vulnerability in slackero phpwcms versions up to 1.9.45 and 1.10.8. The flaw resides in the file_get_contents and is_file operations within include/inc_lib/content/cnt21.readform.inc.php, part of the Custom Source Tab component. Attackers can manipulate the cpage_custom argument to trigger deserialization of attacker-controlled data. The issue is remotely exploitable and a public proof of concept exists. The vendor addressed the vulnerability in versions 1.9.46 and 1.10.9. The weakness is classified under CWE-502 (Deserialization of Untrusted Data) and CWE-20 (Improper Input Validation).

Critical Impact

Authenticated remote attackers can supply crafted input to cpage_custom, leading to deserialization of untrusted data and limited impact to confidentiality, integrity, and availability of the phpwcms instance.

Affected Products

• phpwcms versions up to and including 1.9.45
• phpwcms versions up to and including 1.10.8
• Component: Custom Source Tab (include/inc_lib/content/cnt21.readform.inc.php)

Discovery Timeline

• 2025-06-03 - CVE-2025-5498 published to NVD
• 2026-01-20 - Last updated in NVD database

Technical Details for CVE-2025-5498

Vulnerability Analysis

The vulnerability stems from how phpwcms handles the cpage_custom parameter inside include/inc_lib/content/cnt21.readform.inc.php. The Custom Source Tab component passes user-controlled input into PHP file operations such as file_get_contents and is_file without proper validation. When PHP processes specially crafted stream wrappers or serialized objects through these calls, the application can deserialize attacker-supplied data. This deserialization path enables object injection, where malicious serialized payloads can trigger unintended method invocations through PHP magic methods. The exploit is reachable over the network and requires low privileges plus user interaction.

Root Cause

The root cause is missing input validation on the cpage_custom argument combined with unsafe use of PHP filesystem functions that accept stream wrappers. Wrappers such as phar:// can trigger automatic deserialization of metadata embedded in Phar archives when file_get_contents or is_file is called against an attacker-controlled path. Without sanitization, this becomes a direct deserialization sink ([CWE-502]).

Attack Vector

An authenticated attacker submits a crafted value for cpage_custom through the Custom Source Tab functionality. The value references an attacker-controlled file path or stream wrapper that points to a malicious payload. When phpwcms invokes file_get_contents or is_file against this path, PHP processes the stream wrapper and deserializes embedded data. A successful chain depends on gadget classes available within phpwcms or loaded extensions to translate object instantiation into meaningful impact on confidentiality, integrity, or availability.

No verified exploit code is reproduced here. Public proof of concept material is referenced in the GitHub PoC for file_get_contents and the GitHub PoC for is_file.

Detection Methods for CVE-2025-5498

Indicators of Compromise

• HTTP requests to phpwcms endpoints containing a cpage_custom parameter with phar://, data://, or other non-standard stream wrapper schemes
• Web server access logs showing unusual file paths or external URLs supplied to Custom Source Tab handlers
• Unexpected outbound network connections originating from the PHP-FPM or web server process after requests targeting cnt21.readform.inc.php
• New or modified files in the phpwcms installation directory following suspicious POST requests by authenticated low-privilege users

Detection Strategies

• Inspect web application firewall (WAF) logs for requests carrying serialized PHP object signatures such as O: or a: patterns inside the cpage_custom value
• Hunt for repeated 200-response requests to cnt21.readform.inc.php from non-administrative accounts
• Correlate authenticated user sessions with subsequent process or file system anomalies on the web server host

Monitoring Recommendations

• Forward web server, PHP error, and authentication logs to a centralized logging platform for correlation against process telemetry
• Alert on PHP processes spawning shell interpreters, network utilities, or making unexpected outbound connections
• Track configuration and content file modifications inside the phpwcms web root for unauthorized changes

How to Mitigate CVE-2025-5498

Immediate Actions Required

• Upgrade phpwcms to version 1.9.46 or 1.10.9 as published in the Slackero phpwcms Release v1.10.9
• Audit existing administrative and editor accounts for unauthorized activity in Custom Source Tab content
• Review web server logs for prior requests to cnt21.readform.inc.php containing suspicious cpage_custom values
• Rotate credentials and session tokens for accounts that may have accessed the affected component

Patch Information

The phpwcms maintainers resolved the issue in versions 1.9.46 and 1.10.9. Administrators should upgrade to one of these releases. Patch details and release notes are available in the Slackero phpwcms Release v1.10.9. Vulnerability tracking information is published at VulDB #310913.

Workarounds

• Restrict access to the phpwcms administrative interface using network-level controls or IP allowlisting until the patch is applied
• Disable the Custom Source Tab feature for non-administrative roles if patching cannot be performed immediately
• Configure PHP to disable risky stream wrappers by setting allow_url_fopen=Off and limiting phar stream access where feasible
• Deploy WAF rules that block serialized PHP payloads and non-standard URI schemes submitted to the cpage_custom parameter

# php.ini hardening example
allow_url_fopen = Off
allow_url_include = Off
open_basedir = /var/www/phpwcms
disable_functions = exec,passthru,shell_exec,system,proc_open,popen