egix@karmainsecurity ~ $

Discuz! <= X5.0 (enable_disable.php) Local File Inclusion Vulnerability

• Software Link:

https://www.discuz.vip

• Affected Versions:

Version X5.0, releases 20260320 through 20260610.

Older X3.4 and X3.5 releases may be affected too.

• Vulnerability Description:

A Local File Inclusion (LFI) vulnerability exists in the Discuz! plugin management functionality. When enabling or disabling a plugin, the application includes a file whose path is derived from plugin metadata stored in the database. Due to insufficient validation of the plugin’s directory attribute during the import process, an administrator can import a specially crafted plugin configuration containing Directory Traversal sequences. By additionally triggering an exception during plugin installation, the sanitization routine can be bypassed, causing malicious paths to be stored unsanitized.

The vulnerable code is located in the /source/app/admin/child/plugins/enable_disable.php script:

32if(!empty($pluginarray[$operation.'file']) && preg_match('/^[\w\.]+$/', $pluginarray[$operation.'file'])) {
33	$filename = DISCUZ_PLUGIN($dir).'/'.$pluginarray[$operation.'file'];
34	if(file_exists($filename)) {
35		$installlang = load_installlang($dir);
36		@include $filename;
37	}
38}

Because the attacker controls both the plugin directory and the included filename through the imported plugin metadata, it becomes possible to force the application to include arbitrary files from the local filesystem by abusing the include() call at line 36. By combining this issue with an upload functionality that allows PHP code to be stored on the server, an authenticated administrator can escalate the vulnerability to arbitrary PHP code execution, resulting in Remote Code Execution (RCE) in the context of the web server user.

Successful exploitation of this vulnerability requires administrator privileges.

• Proof of Concept:

https://karmainsecurity.com/pocs/discuz_rce.zip

• Solution:

No official solution is currently available.

• Disclosure Timeline:

[27/04/2026] – Vendor contacted through private messages on gitee.com, no response

[27/04/2026] – Vendor contacted via e-mail at admin@discuz.vip and security@tencent.com, no response

[07/05/2026] – Opened issue IJLFUW on https://gitee.com/Discuz/DiscuzX

[09/05/2026] – Vulnerability details shared within issue IJLFUW

[09/05/2026] – Vendor replied “all plugin-related issues are reviewed by application center auditors”

[09/06/2026] – CVE identifier requested

[09/06/2026] – CVE identifier assigned

[13/06/2026] – Public disclosure at hackmeeting 0x1D

[15/06/2026] – Publication of this advisory

• CVE Reference:

CVE-2026-49954 has been assigned to this vulnerability.

• Credits:

Vulnerability discovered by Egidio Romano.