CVE-2025-58048: Remote Code Execution via Unrestricted Ticket Attachment Uploads in Paymenter

Paymenter is an open-source hosting webshop solution designed to streamline billing and support operations. The application architecture leverages the Laravel framework and integrates Livewire to provide reactive user interfaces.

The vulnerability exists in the support ticketing system of Paymenter. Specifically, the component managing ticket creation and view operations allowed authenticated users to upload files as attachments. The underlying implementation failed to restrict file extensions or evaluate the payload contents.

Because the uploads are mapped directly to a publicly reachable web directory, this configuration introduces a significant attack surface. An attacker with standard client privileges can place executable scripts on the host filesystem and run them remotely. The security boundary between low-privilege application access and server system execution is bypassed.

The root cause of CVE-2025-58048 is an unrestricted file upload flaw classified under CWE-434. The flaw lies within the completeUpload method implemented in the Livewire components for creating and viewing tickets. This method uses Laravel's local storage driver to persist temporary files uploaded via the frontend editor.

When processing a ticket attachment, the code invokes the standard $attachment->store('public/ticket-attachments') function. This operation saves the uploaded file while retaining its original user-supplied file extension. The server does not perform validation checks on the file extension, MIME type, or file header signature.

Laravel's file storage structure maps the storage/app/public directory directly to the web-accessible public/storage folder via a symbolic link. As a result, any file written to public/ticket-attachments is accessible over HTTP. This design lets a client request the file directly, forcing the web server to interpret the resource.

The vulnerability was patched in commit 87c3db42282ada1e3cda54b9a01f846926c0669b by completely removing the ticket attachment capability. This strategy eliminates the file upload attack surface.

In the vulnerable version, the completeUpload method stored attachments without verification:

public function completeUpload($filename)
{
    foreach ($this->attachments as $key => $attachment) {
        if ($attachment->getFilename() === $filename) {
            // Vulnerable: stores the file with its original extension
            $url = $attachment->store('public/ticket-attachments');
            $url = Storage::url($url);
            return url($url);
        }
    }
}

The fix completely deleted this block from both app/Livewire/Tickets/Create.php and app/Livewire/Tickets/Show.php. The WithFileUploads trait was also removed from the classes.

Additionally, the frontend EasyMDE editor configuration in themes/default/views/components/easymde-editor.blade.php was updated to disable the image upload capability. The uploadImage option was set from true to false, and the imageUploadFunction which triggered the Livewire upload sequence was removed. This complete deprecation of the feature ensures that no variant attacks can exploit the same file path, making the fix highly effective.

Exploitation requires standard authenticated user credentials. The attacker must navigate to the support ticket area of the client portal, where the EasyMDE markdown editor is active. This interface provides the channel for uploading attachment resources.

An attacker can construct a payload containing PHP code, such as a basic backdoor. Using the markdown editor's image upload function, the attacker sends the PHP file to the server. The client-side framework handles the initial chunked transport, placing the file in a temporary Laravel folder.

The editor then invokes the completeUpload method via a Livewire event payload, which moves the file to the web-exposed storage directory. The server returns the final storage URL to the client.

To execute the payload, the attacker makes a direct HTTP GET request to the returned URL. Because the default configuration of the web server parses any file with a .php extension through PHP-FPM, the shell executes with the permissions of the www-data or equivalent web user. This allows command execution and system access.

Successful exploitation allows an authenticated attacker to achieve full remote code execution on the server. The execution context is defined by the privileges of the system user running the PHP-FPM process.

From this position, the attacker can access the system filesystem. This enables the theft of sensitive configuration files, including the .env file containing application keys, mail credentials, and database passwords. With database access, the attacker can extract client data, billing histories, and hosting account details.

Furthermore, the attacker can use the compromised container to pivot into the internal network or the virtualization hypervisors managed by Paymenter. Since Paymenter orchestrates hosting nodes (such as Pterodactyl or Virtualizor), a compromise of the main portal can lead to unauthorized control over downstream virtual machines and infrastructure environments.

The most effective resolution is upgrading Paymenter to version 1.2.11 or later. This release applies the complete removal of the ticket file-upload component.

If upgrading immediately is not feasible, administrators must apply Nginx configuration rules to prevent the execution of PHP scripts within the storage directory. This rule denies requests trying to run PHP files inside the public storage folders:

location ~* ^/storage/.*\.php$ {
    deny all;
    return 404;
}

Additionally, administrators can enforce download behavior for all static assets served from the ticket attachments directory. This forces the web server to treat the files as octet streams instead of rendering or executing them:

location /storage/ticket-attachments/ {
    add_header Content-Disposition "attachment";
    add_header Content-Type "application/octet-stream";
}