High-Tech Bridge Security Research Lab discovered vulnerability in bitrix.mpbuilder Bitrix module, which can be exploited to include and execute arbitrary PHP file on the target system with privileges of the web server. The attacker will be able to execute arbitrary system commands and gain complete control over the website. Access to vulnerable modules requires administrative privileges, however the vulnerability can be used by anonymous users via CSRF vector. The vulnerability exists due to insufficient filtration of 'work[]' HTTP POST parameter in '/bitrix/admin/bitrix.mpbuilder_step2.php' script before using it in the include() PHP function. A remote attacker can include and execute arbitrary local file on the target system.