CVE-2011-4451

WikkaWiki <1.3.2 - Code Injection

Title source: llm

Description

libs/Wakka.class.php in WikkaWiki 1.3.1 and 1.3.2, when the spam_logging option is enabled, allows remote attackers to write arbitrary PHP code to the spamlog_path file via the User-Agent HTTP header in an addcomment request. NOTE: the vendor disputes this issue because the rendering of the spamlog_path file never uses the PHP interpreter

Exploits (2)

exploitdb WRITEUP

webappsphp

https://www.exploit-db.com/exploits/18177

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by EgiX, sinn3r · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wikka_spam_exec.rb

View Code ZIP pw:eip

References (1)

[Exploit] http://wush.net/trac/wikka/ticket/1098

Scores

EPSS 0.6362

EPSS Percentile 98.4%

Details

Status published

Products (2)

wikkawiki/wikkawiki 1.3.1

wikkawiki/wikkawiki 1.3.2

Published Sep 05, 2012

Tracked Since Feb 18, 2026