A improper control of filename for include/require statement in PHP program vulnerability in the retrieve course Information function of Wisdom Master Pro versions 5.0 through 5.2 allows remote attackers to perform arbitrary system commands by running a malicious file.
The application improperly validates the filename passed to the include or require statement in PHP as part of the course information retrieval function. An attacker without any authentication can provide a path to a malicious file (local or remote) which will then be loaded and executed by the PHP interpreter. As a result, it is possible to execute arbitrary system commands on the server.
An attacker can gain full control over the server — execute arbitrary system commands, read or modify application data, and potentially take control of the infrastructure on which the application runs.
Apply patches available from the vendor according to the references (https://zuso.ai/advisory/za-2025-03). Until the fix is deployed, it is recommended to restrict access to vulnerable application functions at the firewall or web server level and disable the allow_url_include directive in PHP configuration.
Wisdom Master Pro in versions 5.0 to 5.2 (inclusive)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X