CVE-2026-6650
Unrestricted File Upload in Z-BlogPHP AppCentre Plugin
Publication date: 2026-04-20
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| z-blogphp | z-blogphp | 1.7.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6650 is a critical vulnerability in Z-BlogPHP version 1.7.5 that involves an arbitrary file upload flaw in the App::UnPack() method of the ZBA File Handler component. This method processes application packages (ZBA files) by decoding base64-encoded file contents and writing them directly to the filesystem without any security checks such as file type validation, content sanitization, extension verification, or signature validation.
Attackers can craft malicious ZBA files containing PHP backdoor code and upload them via the admin panel through the Application Centerβs upload endpoint. Once uploaded and installed as a plugin or theme, the attacker can activate the malicious code and execute arbitrary system commands remotely by accessing a specially crafted URL.
The exploitation steps include logging into the admin panel, uploading the malicious package, installing and activating it, and then running commands on the server through the backdoor script.
How can this vulnerability impact me? :
This vulnerability allows attackers to upload and execute arbitrary PHP code on the affected server, leading to remote code execution (RCE).
- Attackers can run system commands remotely, potentially gaining full control over the server.
- Sensitive data on the server could be accessed, modified, or deleted.
- The server could be used as a launchpad for further attacks within the network.
- Malicious plugins or themes could be installed, compromising the integrity and availability of the website.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious plugins or themes uploaded via the Application Center's upload endpoint. Specifically, look for suspicious files in the directory /zb_users/plugin/ that may include backdoor scripts such as include.php.
To verify if the system is compromised or vulnerable, you can attempt to access the backdoor URL pattern: /zb_users/plugin/<plugin_id>/include.php?cmd=<command> where <command> can be system commands like whoami, ipconfig, or dir.
Suggested commands to test the vulnerability remotely (if you have access) include:
- Accessing the URL: /zb_users/plugin/<plugin_id>/include.php?cmd=whoami to identify the user context.
- Accessing the URL: /zb_users/plugin/<plugin_id>/include.php?cmd=ipconfig (Windows) or ifconfig (Linux) to check network configuration.
- Accessing the URL: /zb_users/plugin/<plugin_id>/include.php?cmd=dir (Windows) or ls (Linux) to list directory contents.
Additionally, inspect the upload logs or admin panel upload history for any unauthorized or suspicious ZBA file uploads.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Restrict or disable the upload functionality in the Application Center to prevent uploading of malicious ZBA files.
- Remove any suspicious or unauthorized plugins or themes, especially those containing include.php or other unexpected PHP files.
- Ensure that only trusted administrators have access to the admin panel and upload features.
- Monitor server logs and web access logs for unusual activity related to the plugin upload endpoint or execution of commands via the backdoor URL.
- If possible, update or patch Z-BlogPHP to a version that addresses this vulnerability once available.
Since the vendor has not responded, consider implementing additional security controls such as web application firewalls (WAF) to block suspicious requests targeting the upload endpoint.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Z-BlogPHP 1.7.5 allows arbitrary file upload and remote code execution, which can lead to unauthorized access and control over the affected system.
Such unauthorized access and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and compromise.
However, the provided information does not explicitly describe the direct impact on compliance or mention specific regulatory consequences.