CVE-2009-4818

PHPSimplicity Simplicity oF Upload 1.3.2 - Unrestricted File Upload via Double Extension Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-4818. PoCs published by Master Mind.

AI-analyzed exploit summary This exploit demonstrates a remote file upload vulnerability in Simplicity oF Upload 1.3.2, allowing an attacker to upload a malicious PHP shell disguised as an image file (e.g., Shell.php.gif) to achieve remote code execution (RCE). The exploit leverages the lack of proper file extension validation in the upload mechanism.

Description

Unrestricted file upload vulnerability in upload.php in PHPSimplicity Simplicity oF Upload 1.3.2 allows remote attackers to execute arbitrary PHP code by uploading a file with a double extension, as demonstrated by .php.gif.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Master Mind · textwebappsphp
https://www.exploit-db.com/exploits/10568

This exploit demonstrates a remote file upload vulnerability in Simplicity oF Upload 1.3.2, allowing an attacker to upload a malicious PHP shell disguised as an image file (e.g., Shell.php.gif) to achieve remote code execution (RCE). The exploit leverages the lack of proper file extension validation in the upload mechanism.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Simplicity oF Upload 1.3.2
No auth needed
Prerequisites: Access to the upload.php endpoint · A malicious file with a double extension (e.g., Shell.php.gif)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/54952
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/37424
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/10568

Scores

EPSS 0.0421
EPSS Percentile 89.7%

Details

Status published
Products (1)
phpsimplicity/simplicity_of_upload 1.3.2
Published Apr 27, 2010
Tracked Since Feb 18, 2026