CVE-2011-4825

Ajax File and Image Manager < 1.1 - Remote Code Execution via PHP Code Injection in data.php

Title source: llm

Exploitation Summary

EIP tracks 7 public exploits for CVE-2011-4825. PoCs published by Metasploit, EgiX, Adel SBM, including Metasploit module exploits/multi/http/log1cms_ajax_create_folder.

AI-analyzed exploit summary This Metasploit module exploits a PHP code injection vulnerability in Log1 CMS's Ajax File and Image Manager component. It writes arbitrary PHP code to data.php via the writeInfo() function, leading to remote code execution.

Description

Static code injection vulnerability in inc/function.base.php in Ajax File and Image Manager before 1.1, as used in tinymce before 1.4.2, phpMyFAQ 2.6 before 2.6.19 and 2.7 before 2.7.1, and possibly other products, allows remote attackers to inject arbitrary PHP code into data.php via crafted parameters.

Exploits (7)

exploitdb WORKING POC VERIFIED

by Metasploit · rubywebappsphp

https://www.exploit-db.com/exploits/18975

View Code ZIP pw:eip

This Metasploit module exploits a PHP code injection vulnerability in Log1 CMS's Ajax File and Image Manager component. It writes arbitrary PHP code to data.php via the writeInfo() function, leading to remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Log1 CMS 2.0

No auth needed

Prerequisites: Network access to the target · Vulnerable Log1 CMS installation

MITRE ATT&CK

T1210 - Exploitation of Remote Services T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by EgiX · phpwebappsphp

https://www.exploit-db.com/exploits/18083

View Code ZIP pw:eip

This PHP script exploits a remote code execution vulnerability in Zenphoto <= 1.4.1.4 by injecting malicious PHP code into a folder creation endpoint and then executing commands via a crafted HTTP request. The exploit establishes a shell-like interface for command execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Zenphoto <= 1.4.1.4

No auth needed

Prerequisites: Network access to the target Zenphoto instance · The target must have the vulnerable version of Zenphoto installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by EgiX · phpwebappsphp

https://www.exploit-db.com/exploits/18084

View Code ZIP pw:eip

This exploit targets a remote code execution vulnerability in phpMyFAQ <= 2.7.0 by leveraging an authenticated file upload flaw in ajax_create_folder.php. It authenticates, uploads a malicious PHP file, and executes arbitrary commands via HTTP headers.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: phpMyFAQ <= 2.7.0

Auth required

Prerequisites: Valid credentials for phpMyFAQ · Access to the admin interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by EgiX · phpwebappsphp

https://www.exploit-db.com/exploits/18085

View Code ZIP pw:eip

This exploit targets a remote code execution vulnerability in aidiCMS v3.55 by injecting a malicious PHP payload into the 'ajax_create_folder.php' file. It then leverages the injected payload to execute arbitrary commands via a crafted HTTP request to 'data.php'.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: aidiCMS v3.55

No auth needed

Prerequisites: Network access to the target · aidiCMS v3.55 installed with vulnerable components

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WRITEUP VERIFIED

by EgiX · textwebappsphp

https://www.exploit-db.com/exploits/18075

View Code ZIP pw:eip

The vulnerability in Ajax File and Image Manager v1.0 Final allows remote code execution due to improper handling of user-supplied input in the 'writeInfo' function, which writes arbitrary data to a PHP file without validation.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Ajax File and Image Manager v1.0 Final

No auth needed

Prerequisites: Access to the vulnerable endpoint /ajaxfilemanager/ajax_create_folder.php

MITRE ATT&CK

T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Adel SBM · phpwebappsphp

https://www.exploit-db.com/exploits/18151

View Code ZIP pw:eip

This exploit targets a remote code execution vulnerability in Log1CMS 2.0 via the ajax_create_folder.php endpoint. It injects a malicious PHP payload into a folder name, then triggers execution via a subsequent HTTP request with a base64-encoded command.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Log1CMS 2.0

No auth needed

Prerequisites: Network access to the target web application · PHP installed on the attacker's machine

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by EgiX, Adel SBM, sinn3r · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/log1cms_ajax_create_folder.rb

View Code ZIP pw:eip

This Metasploit module exploits a PHP code injection vulnerability in Log1 CMS's Ajax File and Image Manager component. It leverages the writeInfo() function to write arbitrary PHP code to data.php, achieving remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Log1 CMS 2.0

No auth needed

Prerequisites: Network access to the target · Vulnerable Log1 CMS installation

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Various Sources x_refsource_confirm

http://www.zenphoto.org/trac/ticket/2005

Various Sources x_refsource_confirm

http://www.phpmyfaq.de/advisory_2011-10-25.php

Various Sources x_refsource_confirm

http://www.phpletter.com/en/DOWNLOAD/1/

Exploit, Third Party Advisory exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/18075

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/50523

Scores

EPSS 0.4091

EPSS Percentile 98.5%

Details

CWE

CWE-94

Status published

Products (35)

phpletter/ajax_file_and_image_manager 0.5

phpletter/ajax_file_and_image_manager 0.5.5

phpletter/ajax_file_and_image_manager 0.5.7

phpletter/ajax_file_and_image_manager 0.6

phpletter/ajax_file_and_image_manager 0.6.12

phpletter/ajax_file_and_image_manager 0.7.8

phpletter/ajax_file_and_image_manager 0.7.10

phpletter/ajax_file_and_image_manager 0.8

phpletter/ajax_file_and_image_manager 0.8.8

phpletter/ajax_file_and_image_manager 0.8.9

... and 25 more

Published Dec 15, 2011

Tracked Since Feb 18, 2026