Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
2-Plan Team 1.0.4 allows attackers to upload and run malicious PHP files
CVE-2018-25162
Summary
An attacker with an account on a 2-Plan Team site can upload a malicious file, which the server will then run. This could let the attacker take control of the site or steal sensitive information. Update to the latest version of 2-Plan Team to fix this issue.
Original title
2-Plan Team 1.0.4 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload executable PHP files by sending multipart form data to managefile.php. Attackers can ...
Original description
2-Plan Team 1.0.4 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload executable PHP files by sending multipart form data to managefile.php. Attackers can upload PHP files through the userfile1 parameter with action=upload, which are stored in the files directory and executed by the web server for remote code execution.
nvd CVSS3.1
6.5
nvd CVSS4.0
7.1
Vulnerability type
CWE-434
Unrestricted File Upload
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026