Idno: Remote Code Execution via Chained Import File Write and Template Path Traversal

CVE-2026-28507 is a remote code execution vulnerability that affects Idno, a social publishing platform, prior to version 1.6.4. The issue is a chain of two distinct flaws: an arbitrary PHP file write achieved through a server-side request forgery (SSRF) during WordPress import, and a template path traversal that allows including that file. The advisory from the maintainers describes the full chain [1].

Exploitation

Exploitation requires at least two privileges: a web application admin account to trigger the file write, and any authenticated user (possibly the same admin) to trigger the template inclusion. The admin imports a crafted WordPress eXtended RSS (WXR) XML file, which causes the server to fetch attacker-controlled image URLs. The importImagesFromBodyHTML() function constructs the saved filename using basename() applied to the raw URL, enabling the attacker to place a file ending in .tpl.php into the server's uploads directory [1]. After the file is written, any authenticated user can craft a request with an unsanitized template name parameter that traverses paths to include the attacker-controlled file, leading to arbitrary code execution [1].

Impact

An attacker who successfully chains these vulnerabilities can execute arbitrary operating system commands as the web server user. The CVSS v4 score is 8.6 (High) with a vector of AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, reflecting the need for admin privileges for the write step and the full compromise of confidentiality, integrity, and availability [1].

Mitigation

The vulnerability is patched in Idno version 1.6.4, which includes security fixes for both the image import and template validation issues [1][4]. Users should upgrade to 1.6.4 immediately. No other workarounds are documented.