The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.
The /payment/api/editable/update endpoint is registered by Route::any() without applying authentication middleware, which means any remote user can access it without providing authentication credentials. User-controlled data is directly written to existing PHP files handling payments (payment hook files) using the file_put_contents() function. The modified files are subsequently loaded by require() during standard payment transaction processing, which leads to execution of PHP code supplied by the attacker. The vendor points to the payment secret token as a security measure, however it is not associated with this endpoint and does not constitute any mitigation.
An attacker without any authentication can overwrite PHP files of the application with their own code and cause remote code execution (RCE) in the context of the application server, thereby gaining full control over the system and potentially over payment transaction processing.
Apply patches available from the vendor according to the references. Until an update is performed, it is recommended to block access to the /payment/api/editable/update endpoint at the firewall or web server level and verify the integrity of PHP files handling payments.
The goodoneuz/pay-uz package for the Laravel framework in versions up to and including 2.2.24
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X