Key Information About the Vulnerability Title: BiggiDroid Simple PHP CMS 1.0 Unrestricted Upload Description: The simple PHP Blog CMS is vulnerable to an unrestricted arbitrary file upload vulnerability in the admin panel's Site Logo update functionality. The application fails to properly validate uploaded files, allowing attackers to upload malicious PHP files instead of legitimate image files. Impact: Uploaded files are stored in a web-accessible directory with no restriction on file type, extension, or MIME validation. Due to an execution of arbitrary system commands. Consequence: Successful exploitation results in remote code execution (RCE) on the underlying server, potentially leading to full system compromise, data theft, persistence installation, or service disruption. Reason: This issue occurs due to missing server-side validation, unsafe handling of user-controlled filenames, and a lack of execution restrictions on uploaded content. Source: https://github.com/Asim-QAZi/RCE-Simplephpblog-bigiedroid Submitter: moasim (UID 93970) Submission Date: 12/29/2025 07:36 PM Moderation Date: 01/09/2026 12:37 PM Status: Duplicate VulDB Entry: 2340273 [BiggiDroid Simple PHP CMS 1.0 /admin/editsite.php image unrestricted upload]