VYPR
← All advisories
High severity7.2NVD Advisory· Published Jun 15, 2026· Updated Jun 15, 2026

CVE-2026-49954

CVE-2026-49954

Description

Discuz! X5.0 plugin import path traversal leads to local file inclusion and RCE for authenticated administrators.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Discuz! X5.0 plugin import path traversal leads to local file inclusion and RCE for authenticated administrators.

Vulnerability

Discuz! X5.0 releases 20260320 through 20260501 (and possibly later) contain a local file inclusion vulnerability in the plugin management functionality. The enable_disable.php script includes a file based on plugin metadata stored in the database. When importing a plugin configuration, the directory attribute is insufficiently validated, allowing path traversal sequences. By triggering an exception during plugin installation, the sanitization routine is bypassed, causing malicious paths to be stored unsanitized. This allows an authenticated administrator to force the application to include arbitrary files via the include() call at line 36 of enable_disable.php [2][3].

Exploitation

An attacker must have administrator privileges on the Discuz! forum. They import a specially crafted plugin configuration containing directory traversal sequences (e.g., ../../../../tmp/evil) in the directory attribute. During plugin installation, they trigger an exception (e.g., by providing malformed data) to bypass the sanitization routine. The unsanitized path is stored in the database. When the plugin is enabled or disabled, the application includes the file at that path. By combining this with an upload functionality that stores PHP code (e.g., via avatar upload or attachment), the attacker can include a malicious PHP file and achieve code execution [1][2].

Impact

Successful exploitation allows an authenticated administrator to execute arbitrary PHP code in the context of the web server user. This can lead to full compromise of the Discuz! installation, including data exfiltration, modification, and further lateral movement within the server. The vulnerability is rated CVSS 7.2 (High) [3].

Mitigation

No official fix is currently available as of the publication date. The vendor was contacted on 27 April 2026 but did not respond [2]. Affected versions include Discuz! X5.0 releases 20260320 through 20260610 (and possibly older X3.4/X3.5). As a workaround, administrators should restrict plugin import capabilities to trusted users only, and monitor for unauthorized plugin installations. Until a patch is released, upgrading to a newer version or applying manual input validation on the plugin directory attribute may reduce risk [2][3].

References
  1. Chaining Security Bugs in Discuz! X5.0: from Race Condition to Pre-Auth RCE
  2. Discuz! <= X5.0 (enable_disable.php) Local File Inclusion Vulnerability
  3. Discuz! X5.0 Local File Inclusion via enable_disable.php Plugin Directory

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing sanitization of path traversal sequences in the plugin directory attribute allows an attacker-controlled path to be passed to include(), leading to Local File Inclusion."

Attack vector

An authenticated administrator imports a crafted plugin XML configuration that sets the `directory` attribute to a path traversal sequence (e.g., `../../data/attachment/common/cf/`). The `$_GET['dir']` parameter must be set to an existing plugin directory (e.g., `myrepeats`) to pass the initial check, but the attacker-controlled `$pluginarray` overrides the stored directory. When the plugin is enabled or disabled, the unsanitized directory is concatenated with a user-controlled filename from `$pluginarray[$operation.'file']` and passed to `include()`. By first uploading a file containing PHP code (e.g., via the avatar upload feature) into the traversed directory, the attacker causes the `include()` to execute arbitrary PHP code, achieving Remote Code Execution [ref_id=1].

Affected code

The vulnerability resides in `/source/app/admin/child/plugins/enable_disable.php` (line 36) where `include $filename` is called with a path partially controlled by the attacker, and in `/source/app/admin/child/plugins/import.php` (lines 54, 62) where the `$dir` and `$pluginarray` values are set from user input without sufficient sanitization. The `plugininstall()` function in `/source/function/function_plugin.php` (line 75) appends a trailing slash to the `directory` value but does not strip path traversal sequences, allowing a value like `../../data/attachment/common/cf/` to be stored unsanitized.

What the fix does

The advisory does not provide a patch diff. The recommended remediation is to sanitize the `directory` attribute during plugin import by stripping path traversal sequences (e.g., `../`) and validating that the resulting path stays within the intended `/source/plugin/` directory. Additionally, the filename passed to `include()` should be checked against a whitelist of allowed plugin files rather than relying solely on a regex that permits any word characters and dots [ref_id=1].

Preconditions

  • authAttacker must be authenticated as an administrator on the Discuz! X5.0 instance.
  • inputThe attacker must be able to upload a file containing PHP code to a reachable directory (e.g., via the avatar/profile picture upload feature).
  • inputThe plugin import functionality must be accessible and the attacker must supply a valid existing plugin directory name (e.g., 'myrepeats') in the `$_GET['dir']` parameter.

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.