CVE-2023-53888

HighPublic PoC

Published: 15 December 2025

Published

15 December 2025

Modified

24 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0090 75.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Zomplog 3.9 contains a remote code execution vulnerability that allows authenticated attackers to inject and execute arbitrary PHP code through file manipulation endpoints. Attackers can upload malicious JavaScript files, rename them to PHP, and execute system commands by exploiting the…

saveE and rename actions in the application.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates file inputs during saveE and rename actions to block injection of malicious JavaScript files renamed to PHP, directly preventing code execution.

AC-6 Least Privilege good match

prevent

Enforces least privilege to restrict low-privilege authenticated users from accessing file manipulation endpoints that enable arbitrary PHP code execution.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the specific flaw in Zomplog's file upload and rename functions to eliminate the remote code execution vulnerability.

Security SummaryAI

CVE-2023-53888 is a remote code execution vulnerability affecting Zomplog 3.9, a blogging application. The flaw, classified under CWE-94 (Code Injection), enables authenticated attackers to inject and execute arbitrary PHP code via file manipulation endpoints. Specifically, attackers exploit the saveE and rename actions to upload malicious JavaScript files, rename them with .php extensions, and execute system commands.

Authenticated attackers with low privileges (PR:L) can exploit this vulnerability remotely (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in its CVSS 3.1 score of 8.8. Successful exploitation allows full remote code execution on the server, potentially leading to complete system compromise.

Advisories, including one from Vulncheck, describe the issue as remote code execution via authenticated file manipulation. Proof-of-concept exploits are publicly available on Exploit-DB (ID 51624). An archived reference to the Zomplog project dates back to 2008, indicating it is legacy software with no mentioned patches in the provided references.

Details

CWE(s): CWE-94

Affected Products

zomp

zomplog

3.9

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

The vulnerability is a remote code execution in a public-facing web blogging application via authenticated file upload and rename to PHP for arbitrary code execution, directly enabling T1190 (Exploit Public-Facing Application) and facilitating web shell deployment and execution (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://web.archive.org/web/20080616153330/http://zomp.nl/zomplog/
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/51624
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/zomplog-remote-code-execution-via-authenticated-file-manipulation
Third Party Advisory, Exploit · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/51624
Exploit, Third Party Advisory, VDB Entry · 134c704f-9b21-4f2e-91b3-4a467353bcc0