CVE-2009-4836

Movie PHP Script 2.0 - Remote Code Execution via Anticode Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-4836. PoCs published by SirGod.

AI-analyzed exploit summary This exploit demonstrates a remote PHP code execution vulnerability in Movie PHP Script v2.0 due to an unsafe `eval` call on user-controlled input via the `anticode` parameter. The PoC provides clear examples of exploiting this to execute arbitrary PHP code.

Description

Eval injection vulnerability in system/services/init.php in Movie PHP Script 2.0 allows remote attackers to execute arbitrary PHP code via the anticode parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED

by SirGod · textwebappsphp

https://www.exploit-db.com/exploits/8871

View Code ZIP pw:eip

This exploit demonstrates a remote PHP code execution vulnerability in Movie PHP Script v2.0 due to an unsafe `eval` call on user-controlled input via the `anticode` parameter. The PoC provides clear examples of exploiting this to execute arbitrary PHP code.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Movie PHP Script v2.0

No auth needed

Prerequisites: Access to the vulnerable endpoint `/system/services/init.php`

MITRE ATT&CK

T1059.004 - Unix Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit vdb-entry x_refsource_osvdb

http://osvdb.org/54883

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/1495

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/35283

Exploit, Third Party Advisory exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/8871

Scores

EPSS 0.0559

EPSS Percentile 91.9%

Details

CWE

CWE-94

Status published

Products (1)

moviephp/movie_php_script 2.0

Published May 06, 2010

Tracked Since Feb 18, 2026