CVE-2008-6928

PHPStore Complete Classifieds - Authenticated Arbitrary File Upload and Remote Code Execution via Logo Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-6928. PoCs published by ZoRLu.

AI-analyzed exploit summary This exploit leverages a file upload vulnerability in PHPStore Complete Customizable Classifieds by bypassing file extension restrictions via a GIF header. Attackers can upload a malicious PHP shell disguised as an image file, achieving remote code execution.

Description

Unrestricted file upload vulnerability in PHPStore Complete Classifieds allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension as a logo, then accessing it via a direct request to the file in classifieds1/yellow_images/.

Exploits (1)

exploitdb WORKING POC VERIFIED
by ZoRLu · textwebappsphp
https://www.exploit-db.com/exploits/7084

This exploit leverages a file upload vulnerability in PHPStore Complete Customizable Classifieds by bypassing file extension restrictions via a GIF header. Attackers can upload a malicious PHP shell disguised as an image file, achieving remote code execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: PHPStore Complete Customizable Classifieds
Auth required
Prerequisites: Valid user account on the target system · Access to the file upload functionality
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/50294
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/32626
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/7084
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2008/3100

Scores

EPSS 0.0329
EPSS Percentile 86.9%

Details

CWE
CWE-264
Status published
Products (1)
phpstore/complete_classifieds
Published Aug 11, 2009
Tracked Since Feb 18, 2026