Full Disclosure mailing list archives

-----------------------------------------------------------------------
Discuz! <= X5.0 (enable_disable.php) Local File Inclusion Vulnerability
-----------------------------------------------------------------------


[-] Software Link:

https://www.discuz.vip


[-] Affected Versions:

Version X5.0, releases 20260320 through 20260610.
Older X3.4 and X3.5 releases may be affected too.


[-] Vulnerability Description:

A Local File Inclusion (LFI) vulnerability exists in the Discuz! plugin
management functionality. When enabling or disabling a plugin, the
application includes a file whose path is derived from plugin metadata
stored in the database. Due to insufficient validation of the plugin's
directory attribute during the import process, an administrator can import
a specially crafted plugin configuration containing Directory Traversal
sequences. By additionally triggering an exception during plugin
installation, the sanitization routine can be bypassed, causing malicious
paths to be stored unsanitized.

The vulnerable code is located in the
/source/app/admin/child/plugins/enable_disable.php script:

32 if(!empty($pluginarray[$operation.'file']) && preg_match('/^[\w\.]+$/',
$pluginarray[$operation.'file'])) {
33 $filename = DISCUZ_PLUGIN($dir).'/'.$pluginarray[$operation.'file'];
34 if(file_exists($filename)) {
35 $installlang = load_installlang($dir);
36 @include $filename;
37 }
38 }

Because the attacker controls both the plugin directory and the included
filename through the imported plugin metadata, it becomes possible to force
the application to include arbitrary files from the local filesystem by
abusing the include() call at line 36. By combining this issue with an
upload functionality that allows PHP code to be stored on the server, an
authenticated administrator can escalate the vulnerability to arbitrary PHP
code execution, resulting in Remote Code Execution (RCE) in the context of
the web server user.

Successful exploitation of this vulnerability requires administrator
privileges.


[-] Proof of Concept:

https://karmainsecurity.com/pocs/discuz_rce.zip


[-] Solution:

No official solution is currently available.


[-] Disclosure Timeline:

[27/04/2026] - Vendor contacted through private messages on gitee.com, no
response
[27/04/2026] - Vendor contacted via e-mail at admin () discuz vip and
security () tencent com, no response
[07/05/2026] - Opened issue IJLFUW on https://gitee.com/Discuz/DiscuzX
[09/05/2026] - Vulnerability details shared within issue IJLFUW
[09/05/2026] - Vendor replied "all plugin-related issues are reviewed by
application center auditors"
[09/06/2026] - CVE identifier requested
[09/06/2026] - CVE identifier assigned
[13/06/2026] - Public disclosure at hackmeeting 0x1D
[15/06/2026] - Publication of this advisory


[-] CVE Reference:

CVE-2026-49954 has been assigned to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

https://karmainsecurity.com/KIS-2026-11


[-] Technical write-up:

https://karmainsecurity.com/chaining-bugs-in-discuz-from-race-condition-to-rce
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• [KIS-2026-11] Discuz! <= X5.0 (enable_disable.php) Local File Inclusion Vulnerability Egidio Romano (Jun 15)