Remote Code Execution (RCE) via the backup functionality.
An attacker can execute system commands by abusing the backup functionality.
Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF.
Due to the difficulty of the exploitation for an attacker without a valid account, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks.
Delete the front/backup.php file.
Details are in the reference below.
For more information
If you have any questions or comments about this advisory: