Share
## https://sploitus.com/exploit?id=3A96887E-EF0C-5185-99BA-F3E22F039CA4
make it a readme.md to paste into it
# CVE-2025-69906: Monstra CMS 3.0.4 Arbitrary File Upload to RCE
**Author**: David PS Abraham
**Date**: February 5, 2026
**Severity**: Critical - Remote Code Execution (CVSS 8.8+)
**CWE**: 434 (Unrestricted Upload of File with Dangerous Type)
## Vulnerability Description
Monstra CMS v3.0.4 Files Manager plugin (`plugins/box/filesmanager/filesmanager.admin.php`) implements **blacklist-based file extension validation** that stores uploaded files directly in the web-accessible `/public/files/` directory, enabling remote code execution under standard Apache/PHP configurations.
## Vulnerable Code Analysis
**Core Flaw** (`filesmanager.admin.php` ~lines 150-220):
```php
// WEAK BLACKLIST VALIDATION
$blacklist = array('.php', '.php3', '.php4', '.php5', '.phtml', '.pl', '.py', '.jsp', '.asp', '.sh', '.cgi');
$bypass = true;
foreach ($blacklist as $bad) {
if (strpos(strtolower($filename), $bad) !== false) {
$bypass = false;
break;
}
}
if ($bypass) {
// DIRECT WEB-ROOT WRITE - No sanitization
$upload_path = BASE_PATH . DS . 'public' . DS . 'files' . DS;
move_uploaded_file($file['tmp_name'], $upload_path . $filename);
// http://target/public/files/shell.PHP executes!
}
```
## Bypass Techniques
| Flaw | Bypass Example | Result |
|------|----------------|--------|
| Case Sensitivity | `shell.PHP`, `shell.pHp` | โ
Executes |
| Double Extension | `shell.php.jpg` | โ
Executes |
| Null-byte | `shell.php%00.jpg` | โ
Executes |
| Non-standard PHP | `shell.php7`, `shell.phtml` | โ
Executes |
## Technical Impact
| Impact | Description |
|--------|-------------|
| **RCE** | Arbitrary PHP execution via uploaded webshell |
| **Privilege Escalation** | Admin-authenticated โ server compromise |
| **Info Disclosure** | File read via `` |
| **Attack Vector** | Remote, authenticated (Files Manager interface) |
## Affected Versions
```
Monstra CMS <= 3.0.4
Path: plugins/box/filesmanager/filesmanager.admin.php
Repo: https://github.com/monstra-cms/monstra/tree/dev/plugins/box/filesmanager
```
## Timeline
```
2026-02-05: CVE-2025-69906 assigned by MITRE
2026-02-05: Public disclosure
```
## References
- [CVE-2025-69906](https://vulners.com/cve/CVE-2025-69906)
- [Monstra CMS GitHub](https://github.com/monstra-cms/monstra)
- [Files Manager Source](https://github.com/monstra-cms/monstra/blob/dev/plugins/box/filesmanager/filesmanager.admin.php)
- Related: CVE-2018-9037 (ZIP upload RCE)
## Recommendation
```
1. Disable Files Manager plugin
2. Whitelist ALLOWED extensions only (image/png, image/jpeg)
3. Rename uploads: uniqid() + .jpg
4. Store outside web root
5. Migrate to maintained CMS
```
## Credits
**Discovered by**: David PS Abraham (Cybersecurity Researcher)
***
*Responsible disclosure following CVE assignment. No live exploitation performed.*
*Project unmaintained since 2018 per repository notice.*
[1]
**Copy this entire content โ Paste into your repo's README.md โ Commit & Push โ Share on social channels.**
Citations:
[1] 1000279995.jpg https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/images/62532667/8d8c801d-6e5c-4292-b88f-4530423fb53a/1000279995.jpg