A high-severity vulnerability has been identified in multiple WeiPHP products, assigned CVE-2025-55849 with a CVSS score of 8.4. This flaw could allow an authenticated attacker to execute arbitrary code on the server, potentially leading to a complete system compromise. Successful exploitation could result in significant data breaches, service disruption, and unauthorized access to the underlying infrastructure.

This vulnerability is an authenticated Remote Code Execution (RCE) flaw within a core component of WeiPHP v5. The vulnerability arises from improper input validation in a function responsible for handling file uploads or template modifications. An attacker with authenticated access, even with low privileges, can upload a specially crafted file (e.g., a PHP script disguised as an image) or inject malicious code into a server-side template. When the application processes this file or renders the template, the embedded code is executed on the server with the privileges of the web service account.

This vulnerability is rated as High severity with a CVSS score of 8.4. Exploitation of this flaw can have severe consequences for the business, as an attacker could gain full control over the affected web server. Key risks include the theft of sensitive data such as customer information or intellectual property, complete disruption of web services leading to operational downtime and revenue loss, and reputational damage from a public security breach. Furthermore, a compromised server could be used as a staging point to launch further attacks against other systems within the organization's internal network.

Immediate Action: The primary and most effective remediation is to apply vendor-supplied security updates immediately to all affected WeiPHP installations. Priority should be given to systems that are exposed to the internet. Following the update, organizations must actively monitor for any signs of exploitation attempts by reviewing web server access logs, application logs, and security event logs for unusual activity.

Proactive Monitoring: Security teams should actively monitor for indicators of compromise. This includes looking for suspicious POST requests to file upload endpoints, unexpected file creations or modifications in the web root directory (especially files with extensions like .php, .phtml, .php5), and unusual outbound network connections from the web server. Implement file integrity monitoring (FIM) on application directories to detect unauthorized changes.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce risk:

• Use a Web Application Firewall (WAF) with rules designed to inspect and block malicious file uploads and common code injection patterns.
• Restrict access to the application's administrative and content management panels to trusted IP addresses only.
• Enforce the principle of least privilege for all user accounts, ensuring they only have the permissions essential for their roles.

Public Exploit Available: false

Given the high-severity CVSS score of 8.4, this vulnerability presents a significant risk to the organization. We strongly recommend that all affected WeiPHP instances be patched on an emergency basis, prioritizing publicly accessible systems. While this vulnerability is not currently on the CISA KEV list, its potential for remote code execution makes it a prime candidate for future inclusion. Organizations that cannot patch immediately must implement the recommended compensating controls, such as WAF rules and access restrictions, and actively hunt for any signs of compromise.