Vulnerability Overview Vulnerability Name: PHP Code Execution via WriteConfig() function Vulnerability ID: #15 Submitter: KietNA-68, submitted on 2021-08-22 Affected Version: v5.6 Submission Date: 2022-02-20 Vulnerability Description Due to insufficient input filtering in the function, attackers can inject PHP code into the file in an unfiltered context (such as within ). Key points include: Attack Path: Attackers can trigger the vulnerability via the "add new site" feature, accessible through the path . Injection Point: Within the function, user input is appended to . The input filtering does not block characters like , , , , allowing attackers to inject and execute arbitrary PHP code. Code Details Site Addition Function Configuration Writing Function File Writing Function Exploitation Attackers can craft malicious requests to inject PHP code into , which is then included and executed by other PHP files. Summary This vulnerability allows attackers to write unfiltered user input into a configuration file via the function, enabling dynamic execution of malicious code and posing a serious threat to the system.