An issue found in ProcessWire 3.0.210 allows attackers to execute arbitrary code and install a reverse shell via the download_zip_url parameter when installing a new module. NOTE: this is disputed because exploitation requires that the attacker is able to enter requests as an admin; however, a ProcessWire admin is intentionally allowed to install any module that contains any arbitrary code.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| processwire/processwire(Packagist) | 0 | N/A | N/A |
CVSS Metrics
