CVE-2023-53952

HighPublic PoC

Published: 19 December 2025

Published

19 December 2025

Modified

24 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0089 75.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Dotclear 2.25.3 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension through the blog post creation interface. Attackers can upload files containing PHP system commands that execute when the uploaded file…

is accessed, enabling arbitrary code execution on the server.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and patching of the Dotclear file upload flaw to prevent authenticated RCE via malicious .phar uploads.

SI-10 Information Input Validation good match

prevent

Mandates input validation at the blog post creation interface to reject malicious PHP files with .phar extensions before upload.

SI-3 Malicious Code Protection good match

preventdetect

Deploys malicious code protection mechanisms to scan and block executable PHP payloads in uploaded files at system boundaries and storage.

Security SummaryAI

CVE-2023-53952 is a remote code execution vulnerability affecting Dotclear version 2.25.3, an open-source blog publishing platform. The flaw arises in the blog post creation interface, where authenticated attackers can upload malicious PHP files disguised with a .phar extension. These files can embed PHP system commands that execute arbitrarily when the uploaded file is accessed on the server.

The vulnerability requires low-privilege authentication (PR:L) and can be exploited remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N), resulting in a CVSS v3.1 base score of 8.8 (high severity: C:H/I:H/A:H; CWE-434). An attacker with valid credentials, such as a registered blog contributor, can leverage the upload feature to plant executable payloads, achieving full arbitrary code execution on the server upon file access and potentially compromising the entire hosting environment.

Mitigation details are available in vendor and security advisories, including the official Dotclear site at https://dotclear.org/, a proof-of-concept exploit at https://www.exploit-db.com/exploits/51353, and a dedicated advisory from Vulncheck at https://www.vulncheck.com/advisories/dotclear-authenticated-remote-code-execution-via-file-upload. Practitioners should consult these resources for patching instructions, as the vulnerability was published on 2025-12-19. A public exploit exists, underscoring the need for immediate upgrades in affected deployments.

Details

CWE(s): CWE-434

Affected Products

dotclear

2.25.3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

The vulnerability allows authenticated remote code execution via uploading malicious PHP files disguised as .phar in a public-facing web application, directly mapping to Exploit Public-Facing Application (T1190) and Web Shell (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://dotclear.org/
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/51353
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/dotclear-authenticated-remote-code-execution-via-file-upload
Third Party Advisory, Exploit · disclosure@vulncheck.com