CVE-2010-1091

phpmysite - Cross-Site Scripting via contact.php Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-1091. PoCs published by Crux.

AI-analyzed exploit summary This exploit demonstrates SQL injection via the 'action' GET parameter in index.php and XSS via POST parameters in contact.php for phpMySite. The PoC provides clear examples of injection points without obfuscation.

Description

Multiple cross-site scripting (XSS) vulnerabilities in contact.php in phpMySite allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) city, (3) email, (4) state, and (5) message parameters.

Exploits (1)

exploitdb WORKING POC

by Crux · textwebappsphp

https://www.exploit-db.com/exploits/11588

View Code ZIP pw:eip

This exploit demonstrates SQL injection via the 'action' GET parameter in index.php and XSS via POST parameters in contact.php for phpMySite. The PoC provides clear examples of injection points without obfuscation.

Classification

Working Poc 90%

Attack Type

Sqli | Xss

Complexity

Trivial

Reliability

Reliable

Target: phpMySite (version unspecified)

No auth needed

Prerequisites: Access to the target web application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2010/0492

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/56574

Exploit exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/11588

Exploit x_refsource_misc

http://packetstormsecurity.org/1002-exploits/phpmysite-sqlxss.txt

Scores

EPSS 0.0145

EPSS Percentile 70.0%

Details

CWE

CWE-79

Status published

Products (1)

phpmysite/phpmysite

Published Mar 24, 2010

Tracked Since Feb 18, 2026