CVE-2024-55529

Critical

Published: 06 January 2025

Published

06 January 2025

Modified

05 September 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0093 76.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Z-BlogPHP 1.7.3 is vulnerable to arbitrary code execution via \zb_users\theme\shell\template.

Security Summary

Z-BlogPHP 1.7.3 is affected by CVE-2024-55529, a critical arbitrary code execution vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) published on 2025-01-06. The issue arises in the \zb_users\theme\shell\template component and is classified under CWE-94 (Code Injection).

Remote unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation enables arbitrary code execution on the target system, granting high-impact control over confidentiality, integrity, and availability.

Advisories and further details are available at https://github.com/fengyijiu520/Z-Blog-.

Details

CWE(s): CWE-94

Affected Products

zblogcn

z-blogphp

1.7.3

References

https://github.com/fengyijiu520/Z-Blog-
Vendor Advisory · cve@mitre.org