Impact
The goodoneuz/pay-uz Laravel package (versions 2.2.24 and earlier) contains a critical flaw in its /payment/api/editable/update endpoint. The endpoint is registered with Route::any() without any authentication or authorization middleware, enabling unauthenticated HTTP requests. User‑controlled input is written directly into PHP hook files via file_put_contents, and these files are later included with require() during normal payment processing. Consequently, an attacker can inject arbitrary PHP code, leading to full remote code execution and compromising the confidentiality, integrity, and availability of the host application.
Affected Systems
All installations that rely on the goodoneuz/pay-uz package at version 2.2.24 or earlier are affected. The CVE references point to the package source files that implement the vulnerable endpoint, and no other versions are listed. If a deployment uses a newer version of the package, further review is required to confirm whether the flaw persists.
Risk and Exploitability
The CVSS score of 10.0 reflects remote code execution with no authentication. An EPSS score of 2% indicates a low‑but‑nonzero chance of exploitation. The flaw is not currently listed in the CISA KEV catalog. Attackers can trigger the vulnerability by sending an unauthenticated request to the exposed endpoint with a malicious PHP payload; the lack of authentication and input validation creates a straightforward exploit path. The likely attack vector is remote HTTP requests to the endpoint, inferred from the Route::any() usage without middleware.
OpenCVE Enrichment
Github GHSA