The vulnerability in Vvveb prior to version 1.0.8.3 involves an unrestricted file upload in the plugin upload endpoint. A super_admin user can upload a specially crafted ZIP file containing a plugin.php with a valid Slug header and a public/index.php file with arbitrary PHP code. When the public path of the plugin is accessed, the PHP code executes as the web server user, resulting in remote code execution. The CVSS 4.0 score is 8.6, indicating high severity with network attack vector, low attack complexity, no user interaction, and high impact on confidentiality, integrity, and availability. No patch or official remediation level is provided in the available data.

Successful exploitation allows a super_admin user to execute arbitrary PHP code on the web server, potentially leading to full system compromise under the web server's privileges. This can result in unauthorized access, data manipulation, or service disruption. The vulnerability requires super_admin privileges to upload the malicious plugin, but subsequent code execution occurs without authentication.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict super_admin access to trusted personnel only and monitor plugin uploads closely. Avoid uploading untrusted plugins and consider disabling plugin upload functionality if feasible.