CVE-2026-6650
Received Received - Intake
Unrestricted File Upload in Z-BlogPHP AppCentre Plugin

Publication date: 2026-04-20

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in Z-BlogPHP 1.7.5. This affects the function App::UnPack of the file /zb_users/plugin/AppCentre/app_upload.php of the component ZBA File Handler. The manipulation leads to unrestricted upload. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-6650
EUVD
EUVD-2026-23876
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
z-blogphp z-blogphp 1.7.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-6650 is a critical vulnerability in Z-BlogPHP version 1.7.5 that involves an arbitrary file upload flaw in the App::UnPack() method of the ZBA File Handler component. This method processes application packages (ZBA files) by decoding base64-encoded file contents and writing them directly to the filesystem without any security checks such as file type validation, content sanitization, extension verification, or signature validation.

Attackers can craft malicious ZBA files containing PHP backdoor code and upload them via the admin panel through the Application Center’s upload endpoint. Once uploaded and installed as a plugin or theme, the attacker can activate the malicious code and execute arbitrary system commands remotely by accessing a specially crafted URL.

The exploitation steps include logging into the admin panel, uploading the malicious package, installing and activating it, and then running commands on the server through the backdoor script.

Impact Analysis

This vulnerability allows attackers to upload and execute arbitrary PHP code on the affected server, leading to remote code execution (RCE).

  • Attackers can run system commands remotely, potentially gaining full control over the server.
  • Sensitive data on the server could be accessed, modified, or deleted.
  • The server could be used as a launchpad for further attacks within the network.
  • Malicious plugins or themes could be installed, compromising the integrity and availability of the website.
Detection Guidance

This vulnerability can be detected by checking for the presence of malicious plugins or themes uploaded via the Application Center's upload endpoint. Specifically, look for suspicious files in the directory /zb_users/plugin/ that may include backdoor scripts such as include.php.

To verify if the system is compromised or vulnerable, you can attempt to access the backdoor URL pattern: /zb_users/plugin/<plugin_id>/include.php?cmd=<command> where <command> can be system commands like whoami, ipconfig, or dir.

Suggested commands to test the vulnerability remotely (if you have access) include:

  • Accessing the URL: /zb_users/plugin/<plugin_id>/include.php?cmd=whoami to identify the user context.
  • Accessing the URL: /zb_users/plugin/<plugin_id>/include.php?cmd=ipconfig (Windows) or ifconfig (Linux) to check network configuration.
  • Accessing the URL: /zb_users/plugin/<plugin_id>/include.php?cmd=dir (Windows) or ls (Linux) to list directory contents.

Additionally, inspect the upload logs or admin panel upload history for any unauthorized or suspicious ZBA file uploads.

Mitigation Strategies

Immediate mitigation steps include:

  • Restrict or disable the upload functionality in the Application Center to prevent uploading of malicious ZBA files.
  • Remove any suspicious or unauthorized plugins or themes, especially those containing include.php or other unexpected PHP files.
  • Ensure that only trusted administrators have access to the admin panel and upload features.
  • Monitor server logs and web access logs for unusual activity related to the plugin upload endpoint or execution of commands via the backdoor URL.
  • If possible, update or patch Z-BlogPHP to a version that addresses this vulnerability once available.

Since the vendor has not responded, consider implementing additional security controls such as web application firewalls (WAF) to block suspicious requests targeting the upload endpoint.

Compliance Impact

The vulnerability in Z-BlogPHP 1.7.5 allows arbitrary file upload and remote code execution, which can lead to unauthorized access and control over the affected system.

Such unauthorized access and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and compromise.

However, the provided information does not explicitly describe the direct impact on compliance or mention specific regulatory consequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6650. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart