CVE-2005-1921

PEAR XML_RPC < 1.3.0 and PHPXMLRPC < 1.1 - Remote Code Execution via Unsanitized XML Input

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2005-1921. PoCs published by Metasploit, Mike Rifone, dukenn, including Metasploit module exploits/unix/webapp/php_xmlrpc_eval.

AI-analyzed exploit summary This Metasploit module exploits CVE-2005-1921, an arbitrary code execution vulnerability in PHP XML-RPC implementations. It crafts a malicious XML-RPC request to execute arbitrary commands via the `passthru` function, targeting applications like Drupal, WordPress, and others.

Description

Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubywebappsphp
https://www.exploit-db.com/exploits/16882

This Metasploit module exploits CVE-2005-1921, an arbitrary code execution vulnerability in PHP XML-RPC implementations. It crafts a malicious XML-RPC request to execute arbitrary commands via the `passthru` function, targeting applications like Drupal, WordPress, and others.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PHP XML-RPC (affecting Drupal, WordPress, Postnuke, TikiWiki, etc.)
No auth needed
Prerequisites: Target application with vulnerable PHP XML-RPC implementation · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Mike Rifone · perlwebappsphp
https://www.exploit-db.com/exploits/1084

This exploit leverages a command injection vulnerability in XML-RPC implementations (phpxmlrpc and PEAR XML_RPC) by crafting a malicious XML payload. The payload injects a system command into the XML structure, allowing remote command execution on the target server.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: phpxmlrpc, PEAR XML_RPC
No auth needed
Prerequisites: Target server running vulnerable XML-RPC implementation · Network access to the XML-RPC endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by dukenn · perlwebappsphp
https://www.exploit-db.com/exploits/1083

This exploit targets CVE-2005-1921, a command injection vulnerability in XMLRPC implementations. It sends a maliciously crafted XML payload to execute arbitrary commands on the target system via a POST request.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: XMLRPC implementations (e.g., PHP XMLRPC)
No auth needed
Prerequisites: Network access to the target · XMLRPC endpoint exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by GulfTech Security · textwebappsphp
https://www.exploit-db.com/exploits/43829

This exploit demonstrates a remote code execution vulnerability in PHPXMLRPC <= 1.1 due to unsanitized data being passed into an eval() call. The PoC XML payload escapes the eval() context using single quotes to execute arbitrary PHP code.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: PHPXMLRPC <= 1.1
No auth needed
Prerequisites: Vulnerable PHPXMLRPC installation · Ability to send crafted XML-RPC requests to the server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
perlwebappsphp
https://www.exploit-db.com/exploits/1078

This Perl script exploits CVE-2005-1921, a command injection vulnerability in XML-RPC implementations (e.g., PHP XML-RPC libraries). It crafts a malicious XML-RPC request to execute arbitrary commands via the `system()` function by injecting into the `methodName` parameter.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: PHP XML-RPC libraries (e.g., PEAR XML_RPC, Drupal, Xoops, PHP-Nuke)
No auth needed
Prerequisites: Target must have vulnerable XML-RPC endpoint exposed · Perl with LWP::UserAgent module installed
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by hdm, cazz · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/php_xmlrpc_eval.rb

This Metasploit module exploits a PHP XML-RPC arbitrary code execution vulnerability (CVE-2005-1921) by injecting malicious commands into XML-RPC requests. It targets multiple PHP-based applications like Drupal, WordPress, and others.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: PHP XML-RPC implementations (e.g., Drupal, WordPress, Postnuke, TikiWiki)
No auth needed
Prerequisites: Target must have vulnerable PHP XML-RPC implementation · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (50)

Core 50
Core References
Mailing List, Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2005/dsa-789
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/15947
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/15852
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/15944
Broken Link vendor-advisory x_refsource_suse
http://www.novell.com/linux/security/advisories/2005_18_sr.html
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/15883
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/15872
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/15895
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1015336
Mailing List, Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2005/dsa-746
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/17674
Not Applicable, Vendor Advisory x_refsource_misc
http://www.gulftech.org/?node=research&article_id=00087-07012005
Broken Link vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2005/2827
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/15917
Mailing List, Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2005/dsa-747
Broken Link vendor-advisory x_refsource_suse
http://www.novell.com/linux/security/advisories/2005_41_php_pear.html
Not Applicable x_refsource_misc
http://www.hardened-php.net/advisory-022005.php
Broken Link, Third Party Advisory, VDB Entry vendor-advisory x_refsource_hp
http://www.securityfocus.com/archive/1/419064/100/0/threaded
Third Party Advisory vendor-advisory x_refsource_suse
http://marc.info/?l=bugtraq&m=112605112027335&w=2
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/15957
Broken Link x_refsource_confirm
http://www.ampache.org/announce/3_3_1_2.php
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/15810
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200507-01.xml
Third Party Advisory x_refsource_confirm
http://www.drupal.org/security/drupal-sa-2005-003/advisory.txt
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/14088
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/16693
Third Party Advisory mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=112008638320145&w=2
Third Party Advisory mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=112015336720867&w=2
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200507-07.xml
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/15904
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/15903
Broken Link vendor-advisory x_refsource_suse
http://www.novell.com/linux/security/advisories/2005_49_php.html
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/17440
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/15922
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/15884
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/15916
Broken Link vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2005-564.html
Patch, Product x_refsource_misc
http://pear.php.net/package/XML_RPC/download/1.3.1
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/16001
Patch, Third Party Advisory, Vendor Advisory vendor-advisory x_refsource_mandrake
http://www.mandriva.com/security/advisories?name=MDKSA-2005:109
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200507-06.xml
Mailing List, Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2005/dsa-745
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/15855
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/16339
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/18003
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/15861

Scores

EPSS 0.7907
EPSS Percentile 99.5%

Details

CWE
CWE-94
Status published
Products (5)
debian/debian_linux 3.1
drupal/drupal < 4.5.4
gggeek/phpxmlrpc < 1.1
php/xml_rpc < 1.3.0
tiki/tikiwiki_cms\/groupware < 1.8.5
Published Jul 05, 2005
Tracked Since Feb 18, 2026