Page Builder CK (com_pagebuilderck) exposes an unauthenticated fonts.save task that fetches remote assets and writes attacker-controlled PHP into the webroot under: media/com_pagebuilderck/gfonts/. The only gate is a Joomla CSRF token, which is publicly readable on the homepage.
| Vendor | Product | Versions |
|---|---|---|
| joomlack | page_builder_ck | 1.0-3.6.0, 3.5.10 |
Updated description with technical details, added affected version 3.5.10, changed severity to HIGH, marked exploit as available, and noted patch available in version 3.6.0.
Updated severity to CRITICAL and marked the vulnerability as actively exploited.
Initial creation