CVE-2010-3307

Free Simple CMS <= 1.0 - Remote Code Execution via Theme Parameter Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-3307.

AI-analyzed exploit summary This exploit demonstrates a Remote File Inclusion (RFI) vulnerability in Free Simple Software V1.0. It allows an attacker to include and execute arbitrary remote PHP code by manipulating the 'meta' or 'phpincdir' parameters in the theme's index.php file.

Description

Multiple PHP remote file inclusion vulnerabilities in themes/default/index.php in Free Simple CMS 1.0 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) body, (2) footer, (3) header, (4) menu_left, or (5) menu_right parameter.

Exploits (1)

exploitdb WORKING POC
webappsphp
https://www.exploit-db.com/exploits/14672

This exploit demonstrates a Remote File Inclusion (RFI) vulnerability in Free Simple Software V1.0. It allows an attacker to include and execute arbitrary remote PHP code by manipulating the 'meta' or 'phpincdir' parameters in the theme's index.php file.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Free Simple Software V1.0
No auth needed
Prerequisites: Remote shell or PHP script accessible via URL
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4
Core References
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2010/09/17/11
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/41001
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2010/09/17/4
Various Sources x_refsource_misc
http://www.ocert.org/advisories/ocert-2010-003.html

Scores

EPSS 0.0234
EPSS Percentile 81.4%

Details

CWE
CWE-94
Status published
Products (1)
dustincowell/free_simple_cms 1.0
Published Oct 05, 2010
Tracked Since Feb 18, 2026