CVE-2011-10011

CRITICAL

WeBid < 1.0.2 - Unauthenticated Remote Code Execution via Converter.php to Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2011-10011. PoCs published by Metasploit, EgiX, EgiX, juan vazquez, including Metasploit module exploits/linux/http/webid_converter.

AI-analyzed exploit summary This Metasploit module exploits a PHP code injection vulnerability in WeBid 1.0.2 via the converter.php file, allowing unauthenticated remote code execution by injecting payloads into includes/currencies.php.

Description

WeBid 1.0.2 contains a remote code injection vulnerability in the converter.php script, where unsanitized input in the to parameter of a POST request is written directly into includes/currencies.php. This allows unauthenticated attackers to inject arbitrary PHP code, resulting in persistent remote code execution when the modified script is accessed or included by the application.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubywebappsphp
https://www.exploit-db.com/exploits/18934

This Metasploit module exploits a PHP code injection vulnerability in WeBid 1.0.2 via the converter.php file, allowing unauthenticated remote code execution by injecting payloads into includes/currencies.php.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WeBid 1.0.2
No auth needed
Prerequisites: Network access to the target WeBid application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by EgiX · phpwebappsphp
https://www.exploit-db.com/exploits/17487

This exploit targets WeBid <= 1.0.2, leveraging an arbitrary PHP code injection vulnerability in converter.php to achieve remote code execution. It injects malicious code into the currencies.php file via unsanitized POST parameters, then executes commands through a crafted payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WeBid <= 1.0.2
No auth needed
Prerequisites: cURL extension enabled · magic_quotes_gpc disabled · access to converter.php
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by EgiX, juan vazquez · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/webid_converter.rb

This Metasploit module exploits a PHP code injection vulnerability in WeBid 1.0.2 via the converter.php file, allowing unauthenticated remote code execution by injecting payloads into includes/currencies.php.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WeBid 1.0.2
No auth needed
Prerequisites: Network access to the target WeBid instance · WeBid 1.0.2 installation with default configuration
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v4 10.0
EPSS 0.0159
EPSS Percentile 72.4%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-94
Status published
Products (1)
WeBid/WeBid < 1.0.2
Published Aug 13, 2025
Tracked Since Feb 18, 2026