Any unauthenticated user can upload image files using the upload connector of the ckeditor (located at /admin/plugins/ckeditor/fm/connectors/php/upload.php).
The uploaded image file can be renamed to a PHP extension in a second step which results in unauthenticated RCE.
Renaming of the image file happens in the /admin/plugins/ckeditor/plugins/pdw_file_browser/actions.php endpoint.
The following nuclei template can be used to identify and exploit the vulnerability:
Any unauthenticated user can upload image files using the upload connector of the ckeditor (located at
/admin/plugins/ckeditor/fm/connectors/php/upload.php
). The uploaded image file can be renamed to a PHP extension in a second step which results in unauthenticated RCE. Renaming of the image file happens in the/admin/plugins/ckeditor/plugins/pdw_file_browser/actions.php
endpoint.The following nuclei template can be used to identify and exploit the vulnerability: