The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents().
These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service
CVSS Vector v4.0
Weakness Type (CWE)
References 4
https://github.com/goodoneuz/pay-uz/blob/master/src/Http/Controllers/ApiControl…
309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c
https://github.com/goodoneuz/pay-uz/blob/master/src/routes/web.php
309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c
https://github.com/shaxzodbek-uzb/pay-uz
309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c
https://packagist.org/packages/goodoneuz/pay-uz
309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c