A path traversal vulnerability was identified in SourceCodester Pet Grooming Management System 1.0, affecting the admin/manage_website.php component. An authenticated user with administrative privileges can leverage this flaw by submitting a specially crafted POST request, enabling the deletion of arbitrary files on the web server.# CVE-2025-63298
A path traversal vulnerability was identified in SourceCodester Pet Grooming Management System 1.0, affecting the admin/manage_website.php component. An authenticated user with administrative privileges can leverage this flaw by submitting a specially crafted POST request, enabling the deletion of arbitrary files on the web server.
* [https://www.cve.org/CVERecord?id=CVE-2025-63298](https://www.cve.org/CVERecord?id=CVE-2025-63298)
* [https://www.sourcecodester.com/php/18340/pet-grooming-management-software-download.html](https://www.sourcecodester.com/php/18340/pet-grooming-management-software-download.html)
There is a vulnerable function that will delete every file we put into the 'old_login_image' POST parameter by performing a path traversal.
<img width="947" height="232" alt="image" src="https://github.com/user-attachments/assets/570c0fcb-c164-498e-8897-44d85fd1120d" />
It is possible to delete index.php, which will result in a denial of service.
<img width="753" height="785" alt="image" src="https://github.com/user-attachments/assets/27bab49d-25e3-4a98-a387-ea3ca9493207" />
<img width="479" height="198" alt="image" src="https://github.com/user-attachments/assets/862c2ad9-983d-40b7-a155-a4322005edc3" />
Discovered by Z3robyte on October 2025
[4.0K] /data/pocs/c4887e08746e14561ada954f36884c5a87665668
└── [1.3K] README.md
1 directory, 1 file