Impact
The flaw resides in Bludit CMS’s API Plugin. The POST /api/files/{key} endpoint does not enforce proper authorization and accepts uploads without validating file extensions. An attacker who has a valid API token can upload a malicious PHP script through this endpoint and then trigger its execution, granting full code execution privileges on the server. The issue is classified as Missing Authorization (CWE-862).
Affected Systems
Bludit CMS versions prior to 3.18.4 that have the API Plugin enabled. The vulnerability is exploitable only when the target has a valid API token that the attacker can obtain or guess, and the API Plugin must be operational.
Risk and Exploitability
The CVSS score of 9.8 indicates critical severity, while the EPSS score of <1% implies a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploits. An attacker requires a legitimate API token, then can upload a PHP file to /api/files/{key} and execute it by accessing the uploaded file, resulting in complete compromise of the affected system.
OpenCVE Enrichment