DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-58048: CVE-2025-58048: Remote Code Execution via Unrestricted Ticket Attachment Uploads in Paymenter

#security #cve #cybersecurity

CVE-2025-58048: Remote Code Execution via Unrestricted Ticket Attachment Uploads in Paymenter

Vulnerability ID: CVE-2025-58048
CVSS Score: 10.0
Published: 2026-06-22

An unrestricted file upload vulnerability in Paymenter's support ticket system (prior to version 1.2.11) allows authenticated users to upload arbitrary PHP scripts to a web-accessible directory. The application fails to validate file extensions or MIME types before storing the files, enabling remote code execution under the web server's privilege context.

TL;DR

Paymenter versions prior to 1.2.11 allow low-privilege authenticated users to execute arbitrary system commands by uploading malicious PHP scripts through the support ticket attachment feature.

Technical Details

  • CWE ID: CWE-434
  • Attack Vector: Network
  • CVSS v3.1: 10.0 (Critical)
  • EPSS Score: 0.00374
  • Exploit Status: None (No public functional exploit scripts)
  • KEV Status: Not Listed
  • Impact: Remote Code Execution (RCE)

Affected Systems

  • Paymenter open-source hosting webshop solution
  • Paymenter: < 1.2.11 (Fixed in: 1.2.11)

Code Analysis

Commit: 87c3db4

Remove ticket attachment functionality to address arbitrary file upload and remote code execution

Commit: 79b2a5d

Additional clean up and security hardening for ticket attachments

Mitigation Strategies

  • Upgrade Paymenter to v1.2.11 or higher
  • Configure Nginx to block PHP execution in the /storage/ directory
  • Use WAF rules to block execution requests targeting /storage/ticket-attachments/

Remediation Steps:

  1. Check current Paymenter version in the admin dashboard or via composer.json.
  2. Pull latest changes and check out tag v1.2.11 or run composer update to apply the official patch.
  3. If immediate upgrade is impossible, open the Nginx site configuration file.
  4. Add a location block denying access to PHP files under the storage folder.
  5. Test Nginx configuration using 'nginx -t' and reload the service using 'systemctl reload nginx'.

References

Read the full report for CVE-2025-58048 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)