An unauthenticated remote code execution vulnerability in the pay-uz Laravel package allows attackers to overwrite critical payment files and execute arbitrary PHP code.

The application fails to implement authentication middleware on the /payment/api/editable/update endpoint, allowing unauthenticated attackers to write arbitrary content into executable PHP files. These files are subsequently executed by the server, resulting in remote code execution (RCE).

With a CVSS score of 9.8, this is a critical vulnerability that grants an attacker full control over the application server. The potential impact includes the theft of sensitive financial data, unauthorized transactions, and complete server compromise, which could lead to significant reputational and financial damage.

Immediate Action: Update the pay-uz package to the latest secure version immediately and audit the /payment/api/ directory for unauthorized file modifications.

Proactive Monitoring: Monitor access logs for unauthorized POST requests to the /payment/api/editable/update endpoint and inspect file integrity on the server.

Compensating Controls: Implement a Web Application Firewall (WAF) rule to block traffic to the vulnerable endpoint and restrict access to the web root.

Public Exploit Available: false

This vulnerability is highly severe due to the lack of required authentication and the direct impact on code execution. Organizations utilizing this package must treat this as a top-priority remediation item and verify the integrity of their payment processing workflows immediately.