CVE-2019-25687

CRITICAL 9.8

Pegasus CMS 1.0 Remote Code Execution via extra_fields.php

CVSS Score

9.8

EPSS Score

0.3%

EPSS Percentile

53th

Pegasus CMS 1.0 contains a remote code execution vulnerability in the extra_fields.php plugin that allows unauthenticated attackers to execute arbitrary commands by exploiting unsafe eval functionality. Attackers can send POST requests to the submit.php endpoint with malicious PHP code in the action parameter to achieve code execution and obtain an interactive shell.

CWE	CWE-22
Vendor	wisdom
Product	pegasus cms
Published	Apr 5, 2026
Last Updated	Apr 6, 2026

Stay Ahead of the Next One

Get instant alerts for wisdom pegasus cms

Be the first to know when new critical vulnerabilities affecting wisdom pegasus cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

wisdom / Pegasus CMS

1.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/46542 wisdom.com.au: https://www.wisdom.com.au/web/pegasus-cms vulncheck.com: https://www.vulncheck.com/advisories/pegasus-cms-remote-code-execution-via-extra-fields-php

Credits

R3zk0n