CVE-2007-3611

VRNews 1.1.1 - Unauthenticated Administrative Action Execution via act Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-3611. PoCs published by R4M!.

AI-analyzed exploit summary This entry describes an unauthorized access vulnerability in VRNews v1.x due to improper permission checks in admin.php. The writeup lists example URLs that can be accessed without authentication to perform administrative actions.

Description

admin.php in VRNews 1.1.1, and possibly other 1.x versions, does not require authentication, which allows remote attackers to perform certain administrative actions via a direct request with a (1) edit, (2) add, (3) config, or (4) del value in the act parameter.

Exploits (1)

exploitdb WRITEUP VERIFIED

by R4M! · textwebappsphp

https://www.exploit-db.com/exploits/4150

View Code ZIP pw:eip

This entry describes an unauthorized access vulnerability in VRNews v1.x due to improper permission checks in admin.php. The writeup lists example URLs that can be accessed without authentication to perform administrative actions.

Classification

Writeup 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: VRNews v1.x

No auth needed

Prerequisites: Target running VRNews v1.x with exposed admin.php

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/4150

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/35271

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://osvdb.org/45787

Scores

EPSS 0.0657

EPSS Percentile 91.3%

Details

Status published

Products (1)

vrnews/vrnews 1.1.1

Published Jul 06, 2007

Tracked Since Feb 18, 2026