CVE-2008-3118

phpmotion < 2.0 - SQL Injection via vid Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-3118. PoCs published by EgiX.

AI-analyzed exploit summary This exploit demonstrates a remote shell upload vulnerability in PHPmotion <= 2.0 by bypassing MIME type checks in the update_profile.php file. It includes authentication bypass via registration, SQL injection for data retrieval, and a PHP shell upload with command execution capabilities.

Description

SQL injection vulnerability in play.php in PHPmotion 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the vid parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED
by EgiX · phpwebappsphp
https://www.exploit-db.com/exploits/5938

This exploit demonstrates a remote shell upload vulnerability in PHPmotion <= 2.0 by bypassing MIME type checks in the update_profile.php file. It includes authentication bypass via registration, SQL injection for data retrieval, and a PHP shell upload with command execution capabilities.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PHPmotion <= 2.0
Auth required
Prerequisites: Network access to the target · PHPmotion installation with default configuration
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/5938
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/29949
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/43376

Scores

EPSS 0.0100
EPSS Percentile 58.2%

Details

CWE
CWE-89
Status published
Products (2)
phpmotion/phpmotion 1.0
phpmotion/phpmotion < 2.0
Published Jul 10, 2008
Tracked Since Feb 18, 2026