Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer

flatpress has a feature to upload file “uploader” and display from “media manager”. By uploading PHP files, the users can perform Php Remote file Inclusion attack and gain RCE. Copy the following code and save as test.Php (note the uppercase).

Successful exploitation of PHP file inclusion may result in information disclosure or compromise of the vulnerable system. A remote attacker can read and write files or execute arbitrary code on the target system with privileges of the web server. In this case we can do all of this things. Php Remote file Inclusion and RCE in flatpressblog/flatpress