CVE-2010-4931

php-fusion - Path Traversal via folder_level Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-4931. PoCs published by MoDaMeR.

AI-analyzed exploit summary This exploit demonstrates a Local File Inclusion (LFI) vulnerability in PHP-Fusion by manipulating the `folder_level` parameter in `maincore.php` to include arbitrary files. The vulnerability arises due to insufficient input validation, allowing an attacker to traverse directories and include unintended files.

Description

Directory traversal vulnerability in maincore.php in PHP-Fusion allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the folder_level parameter. NOTE: this issue has been disputed by a reliable third party

Exploits (1)

exploitdb WORKING POC
by MoDaMeR · phpwebappsphp
https://www.exploit-db.com/exploits/14647

This exploit demonstrates a Local File Inclusion (LFI) vulnerability in PHP-Fusion by manipulating the `folder_level` parameter in `maincore.php` to include arbitrary files. The vulnerability arises due to insufficient input validation, allowing an attacker to traverse directories and include unintended files.

Classification
Working Poc 90%
Attack Type
Lfi
Complexity
Trivial
Reliability
Reliable
Target: PHP-Fusion (all versions)
No auth needed
Prerequisites: Access to the target web application · PHP-Fusion installation with vulnerable `maincore.php`
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/42456
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/14647
Exploit, Third Party Advisory mailing-list x_refsource_mlist
http://attrition.org/pipermail/vim/2010-August/002391.html

Scores

EPSS 0.1640
EPSS Percentile 96.6%

Details

CWE
CWE-22
Status published
Products (1)
php-fusion/php-fusion
Published Oct 09, 2011
Tracked Since Feb 18, 2026