CVE-2011-3587

EXPLOITED

Plone 4.0-4.0.9, 4.1, 4.2-4.2a2 - Remote Code Execution via p_ Class in OFS/misc_.py

Title source: manual
STIX 2.1

Exploitation Summary

CVE-2011-3587 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including Nick Miles, Unknown, Nick Miles, including a Metasploit module exploits/multi/http/plone_popen2.

AI-analyzed exploit summary This exploit leverages a path traversal vulnerability in Plone's webdav/xmltools endpoint to execute arbitrary commands via the 'os.popen2' module. The PoC demonstrates command injection by exfiltrating '/etc/passwd' over a netcat connection.

Description

Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Nick Miles · textwebappsmultiple
https://www.exploit-db.com/exploits/18262

This exploit leverages a path traversal vulnerability in Plone's webdav/xmltools endpoint to execute arbitrary commands via the 'os.popen2' module. The PoC demonstrates command injection by exfiltrating '/etc/passwd' over a netcat connection.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Plone 4.0-4.0.9, 4.1, 4.2 (a1/a2) with Zope 2.12.x/2.13.x
No auth needed
Prerequisites: Network access to the Plone server · Unpatched Plone/Zope version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Unknown, Nick Miles · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/plone_popen2.rb

This Metasploit module exploits a remote command execution vulnerability in Plone and Zope via a traversal attack on the `p_` class in OFS/misc_.py, allowing arbitrary command execution through the `os/popen2` module. The exploit sends a POST request with the payload encoded in the `cmd` parameter.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Plone 4.0.x through 4.0.9, 4.1, 4.2 through 4.2a2, and Zope 2.12.x and 2.13.x
No auth needed
Prerequisites: Network access to the target's HTTP service (typically port 8080) · Vulnerable version of Plone or Zope
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/46221
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/46323
Patch, Vendor Advisory x_refsource_confirm
http://plone.org/products/plone/security/advisories/20110928

Scores

EPSS 0.9046
EPSS Percentile 99.6%

Details

VulnCheck KEV 2020-10-14
Status published
Products (37)
plone/plone 4.0
plone/plone 4.0.1
plone/plone 4.0.2
plone/plone 4.0.3
plone/plone 4.0.4
plone/plone 4.0.5
plone/plone 4.0.6.1
plone/plone 4.0.7
plone/plone 4.0.8
plone/plone 4.0.9
... and 27 more
Published Oct 10, 2011
Tracked Since Feb 18, 2026