-- [ Security Advisory: PHP Object Injection in e107 CMS 2.x (CVE-2025-61505)
Published Date: October 10, 2025
CVE ID: CVE-2025-61505
--[ Summary
A PHP Object Injection vulnerability (CWE-502: Deserialization of
Untrusted Data) was discovered in the installation script (install.php)
of e107 CMS version 2.3.3. The vulnerability allows unauthenticated
remote attackers to craft malicious serialized data, potentially leading
to arbitrary code execution, data manipulation, or other malicious actions,
depending on the presence of exploitable classes in the e107 codebase or its
dependencies.
--[ Affected Software
Product: e107 CMS
Versions: <= 2.3.3
Component: Installation script (install.php)
--[ Vulnerability Details
The e107 CMS installation script (install.php) processes user-supplied
input from the $_POST['previous_steps'] parameter, which is decoded from
base64 and passed directly to the PHP unserialize() function without validation.
This occurs in two locations:
Global Scope:
https://github.com/e107inc/e107/blob/29b7e6d3b3e8936b590186b0f309f56f768a4958/install.php#L266
if(isset($_POST['previous_steps'])) {
$tmp = unserialize(base64_decode($_POST['previous_steps']));
$override = (isset($tmp['paths']) && isset($tmp['paths']['hash'])) ?
array('site_path'=>$tmp['paths']['hash']) : array();
unset($tmp);
}
e_install Class Constructor:
https://github.com/e107inc/e107/blob/29b7e6d3b3e8936b590186b0f309f56f768a4958/install.php#L390
if(isset($_POST['previous_steps'])) {
$this->previous_steps = unserialize(base64_decode($_POST['previous_steps']));
$tmpadminpass2 = (isset($this->previous_steps['admin'])) ?
$this->previous_steps['admin']['password'] : '';
$this->previous_steps = $tp->filter($this->previous_steps);
$this->previous_steps['admin']['password'] = $tmpadminpass2;
unset($_POST['previous_steps']);
unset($tmpadminpass2);
}
This insecure deserialization allows an attacker to submit a crafted
base64-encoded serialized string via the previous_steps parameter.
--[ Mitigation
Remove install.php: Delete the installation script after completing CMS setup.
Restrict Access: Use server configuration (e.g., .htaccess) to block access to install.php.
--[ Disclosure Timeline
2025-08-25: Vulnerability discovered
2025-10-10: CVE-2025-61505 assigned by MITRE.
2025-10-10: Public advisory published.
--[ References
e107 CMS Official Website: https://e107.org
e107 CMS GitHub Repository: https://github.com/e107inc/e107
CVE Record: CVE-2025-61505 (to be updated upon publication)
CWE-502: Deserialization of Untrusted Data: https://cwe.mitre.org/data/definitions/502.html
--[ Index ]--