CVE-2026-7578 Overview
CVE-2026-7578 is an unrestricted file upload vulnerability in MacCMS Pro versions up to 2022.1.3. The flaw resides in the install function of /admi.php/admin/addon/add.html, part of the Plugin Installation Handler component. An authenticated attacker with high privileges can manipulate the plugin installation routine to upload arbitrary files to the web server. The exploit is publicly available, increasing the likelihood of opportunistic abuse against exposed administrative interfaces. The vendor was contacted before public disclosure but did not respond. The weakness is classified under [CWE-284] Improper Access Control.
Critical Impact
Authenticated administrators can abuse the plugin installer to upload arbitrary files, enabling persistent server-side code placement on affected MacCMS Pro deployments.
Affected Products
- MacCMS Pro versions up to and including 2022.1.3
- Plugin Installation Handler component (/admi.php/admin/addon/add.html)
- Deployments exposing the administrative interface to untrusted networks
Discovery Timeline
- 2026-05-01 - CVE-2026-7578 published to NVD
- 2026-05-01 - Last updated in NVD database
Technical Details for CVE-2026-7578
Vulnerability Analysis
The vulnerability lives in the install function exposed through /admi.php/admin/addon/add.html. This endpoint handles plugin package installation in the MacCMS Pro administrative panel. The handler accepts uploaded archives or files without enforcing adequate restrictions on file type, extension, or content. An attacker who reaches the endpoint can supply a manipulated payload that the application writes into a server-accessible location.
The issue is categorized as Improper Access Control [CWE-284]. The CVSS 4.0 vector indicates a network-reachable attack with low complexity that requires high privileges and no user interaction. Confidentiality, integrity, and availability impacts are limited in scope, but the public availability of an exploit raises operational risk for exposed instances. The EPSS score is 0.043% at the 13.169 percentile, reflecting low predicted exploitation activity in the near term.
Root Cause
The Plugin Installation Handler does not validate uploaded plugin contents against an allowlist of safe file types or verify package integrity before extraction. Because the handler trusts authenticated administrators to provide well-formed plugins, hostile files can be written to disk through the standard installation flow.
Attack Vector
Exploitation requires administrative session access to the MacCMS Pro backend. The attacker submits a crafted plugin package through the plugin installation form at /admi.php/admin/addon/add.html. The install function processes the payload and writes attacker-controlled files into the application directory structure. Refer to the GitHub Issue Discussion and VulDB #360419 for technical observations published by reporters.
No verified proof-of-concept code is reproduced here. Defenders should consult the linked references for indicators and request samples.
Detection Methods for CVE-2026-7578
Indicators of Compromise
- POST requests to /admi.php/admin/addon/add.html containing multipart file uploads with executable extensions such as .php, .phtml, or .phar
- New or modified files in the MacCMS Pro plugin or addon directories without a corresponding vendor release
- Outbound connections from the web server process shortly after plugin installation events
Detection Strategies
- Inspect web server access logs for installation requests originating from unexpected source addresses or outside maintenance windows
- Compare on-disk plugin directory contents against a known-good baseline to surface unauthorized additions
- Alert on web shell signatures and PHP files written into directories normally containing only static plugin assets
Monitoring Recommendations
- Forward web server, application, and file integrity logs to a centralized analytics platform for correlation
- Track administrative authentication events and tie them to subsequent plugin installation activity
- Monitor process execution under the web server account for shell utilities, compilers, or download tools
How to Mitigate CVE-2026-7578
Immediate Actions Required
- Restrict access to /admi.php/admin/addon/ paths to trusted administrator IP ranges using web server or firewall rules
- Rotate administrative credentials and enforce multi-factor authentication for the MacCMS Pro backend
- Audit plugin and addon directories for files added since the last verified deployment and remove unauthorized entries
Patch Information
No vendor patch has been published. The vendor did not respond to coordinated disclosure attempts referenced in the VulDB #360419 advisory. Operators running MacCMS Pro 2022.1.3 or earlier should treat the administrative panel as exposed and apply compensating controls until an official fix is released.
Workarounds
- Place the administrative interface behind a VPN or zero-trust gateway to remove direct internet exposure
- Configure the web server to deny PHP execution within plugin upload directories where feasible
- Disable the plugin installation feature in production by removing or restricting admin/addon/add.html access at the web server layer
# Example nginx restriction limiting access to the plugin installer
location ~* ^/admi\.php/admin/addon/ {
allow 10.0.0.0/24; # trusted admin subnet
deny all;
include fastcgi_params;
fastcgi_pass unix:/var/run/php-fpm.sock;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
