An unauthenticated remote code execution vulnerability in Pegasus CMS 1.0 poses a critical risk of full system compromise.

The application fails to sanitize input within the extra_fields.php plugin, allowing unauthenticated attackers to inject arbitrary PHP code via the action parameter in submit.php. This flaw leverages unsafe eval() functionality to execute commands at the web server level.

With a CVSS score of 9.8, this vulnerability represents a critical risk to organizational security. Successful exploitation grants an attacker an interactive shell, enabling unauthorized data exfiltration, complete system takeover, and potential lateral movement within the network. This exposure could lead to significant reputational damage and catastrophic service disruption.

Immediate Action: Update Pegasus CMS to the latest version immediately to patch the vulnerable plugin. If an update is unavailable, disable the extra_fields.php plugin until a secure version is deployed.

Proactive Monitoring: Review web access logs for anomalous POST requests directed at submit.php containing suspicious PHP payloads or encoded characters.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules designed to detect and block malicious PHP injection attempts in HTTP parameters.

Public Exploit Available: true

This vulnerability is highly critical due to the ease of exploitation and the level of access granted to attackers. Security teams should prioritize patching this instance immediately and perform a thorough forensic review of the server logs to ensure no prior unauthorized access has occurred.