This top CMS has a major security flaw that could affect millions of websites

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

PHPFusion, a top open-source content management system (CMS), carries multiple vulnerabilities that could put countless websites at risk, experts have warned.

A report from researchers at Synopsys, who discovered the flaws, described one of the vulnerabilities as an authenticated local file inclusion flaw, which is now tracked as CVE-2023-2453. It a hacker can upload a malicious php file to a known path on a target system, the flaw would allow them to run arbitrary code on a remote endpoint. 

The second vulnerability is a moderate-severity bug in the CMS that allows threat actors to read files and write them to arbitrary locations. This one is tracked as CVE-2023-4480. All PHPFusion versions up to 9.10.30 are vulnerable, the researchers added, stating that there is no patch available. To make matters worse, there seems to be no interest in fixing the flaws, whatsoever.

No patches in the pipeline

In a notification email sent to TechRadar Pro on behalf of Synopsys, it was said that there are currently “no patches available to fix the vulnerability, nor is the team aware of any plans by the project owners to create a patch.”

Synopsys said it tried to get to PHPFusion admins on numerous occasions, reaching out via email, vulnerability disclosure processes, GitHub, as well as community forums, to no avail. Finally, the team then decided to go public. PHPFusion is yet to respond to media inquiries.

The open-source CMS was built in 2003. Since then it’s gained provenance, amassing a user base of some 15 million strong (according to website data). Dark Reading reports that many small and medium-sized businesses use it to create online forums, community-driven websites, and more. 

To stay safe, it would be best to disable the “Forum” Infusion through the admin pane, the researchers added, knowing that in some cases that would shut down the entire website.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.