CVE-2011-10013

CRITICAL

Traq Project Issue Tracking System 2.0-2.3 - Unauthenticated Remote Code Execution via Admin Plugin Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2011-10013. PoCs published by Metasploit, EgiX, including Metasploit module exploits/multi/http/traq_plugin_exec.

AI-analyzed exploit summary This Metasploit module exploits an authentication bypass and remote code execution vulnerability in Traq <= 2.3 by leveraging a broken authorization schema in admincp/common.php, allowing arbitrary PHP code execution via the plugins.php functionality.

Description

Traq versions 2.0 through 2.3 contain a remote code execution vulnerability in the admincp/common.php script. The flawed authorization logic fails to halt execution after a failed access check, allowing unauthenticated users to reach admin-only functionality. This can be exploited via plugins.php to inject and execute arbitrary PHP code.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubywebappsphp
https://www.exploit-db.com/exploits/18239

This Metasploit module exploits an authentication bypass and remote code execution vulnerability in Traq <= 2.3 by leveraging a broken authorization schema in admincp/common.php, allowing arbitrary PHP code execution via the plugins.php functionality.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Traq <= 2.3
No auth needed
Prerequisites: Network access to the Traq installation · Traq version <= 2.3
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by EgiX · phpwebappsphp
https://www.exploit-db.com/exploits/18213

This exploit leverages an authentication bypass in Traq <= 2.3 due to improper header() usage, allowing unauthenticated RCE via plugin creation. It sends a crafted POST request to create a malicious plugin and then executes commands via HTTP headers.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Traq <= 2.3
No auth needed
Prerequisites: Network access to the target · Traq installation with admin panel accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by EgiX · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/traq_plugin_exec.rb

This Metasploit module exploits a broken authorization schema in Traq 2.0 to 2.3, allowing arbitrary PHP code execution via the admincp/plugins.php script. It leverages a base64-encoded payload delivered through the CMD header to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Traq 2.0 to 2.3
No auth needed
Prerequisites: Access to the admincp/plugins.php endpoint · PHP payload compatible with the target environment
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v4 10.0
EPSS 0.0149
EPSS Percentile 70.7%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-306 CWE-94
Status published
Products (1)
Traq Project/Issue Tracking System 2.0 - 2.3
Published Aug 13, 2025
Tracked Since Feb 18, 2026