Impact
The K2 extension’s front‑end article‑attachment upload accepts files whose names end with the .php extension. Apache’s mod_php treats such files as executable PHP code and runs them under the web‑server user. A user with K2 Author privileges can upload a crafted shell.php, then retrieve it via the web server to execute arbitrary PHP code with web‑server privileges. The vulnerability allows remote code execution in the context of the web server when an attacker can supply a PHP file through the upload interface.
Affected Systems
The flaw targets the K2 Extension for Joomla provided by getk2.com. All releases older than 2.26 contain the vulnerability; any installation using a pre‑2.26 build is potentially impacted.
Risk and Exploitability
The CVSS score is 6.3, but the vulnerability still permits remote code execution when an attacker can upload files as an author. Since the upload path performs no validation beyond the file name, the exploit path is straightforward once author credentials are available. EPSS is not available and the issue is not listed in the CISA KEV catalog, yet the potential impact remains high due to the privilege escalation to the web‑server context. Based on the description, it is inferred that the likely attack vector requires a valid K2 Author account to upload a PHP file, and that the attacker can immediately retrieve and execute the file via a web request.
OpenCVE Enrichment