The Visitor Management System 1.0 by sanjay1313 contains an unrestricted file upload flaw within vms/php/admin_user_insert.php and vms/php/update_1.php. The move_uploaded_file() call strictly performs no MIME type, file‑extension, or content validation, enabling an authenticated administrator to upload a PHP webshell and thus gain remote code execution on the host server. This flaw is a classic example of CWE-434, where lack of file‑type validation allows execution of malicious code.

All deployments of Visitor Management System 1.0 that include the vulnerable upload scripts are impacted. No vendor‑supplied patch has been released yet; therefore every instance of v1.0 cannot be updated until an official fix becomes available.

The vulnerability is exploitable only by users with administrative privileges, which default installations may provide. Because no EPSS score is published and the flaw is not listed in CISA KEV, quantitative exploitation risk is unmeasured, but the medium‑to‑high score of 7.2 emphasizes a high potential impact. Attackers could obtain full server control once a webshell is uploaded; the lack of validation and potential for complete remote code execution make the risk significant even if the attacker must first acquire admin credentials.