CVE-2011-5130

Family Connections CMS 2.5.0-2.7.1 - Remote Code Execution via dev/less.php argv[1] Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2011-5130. PoCs published by Metasploit, mr_me, including Metasploit module exploits/multi/http/familycms_less_exec.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in Family Connections 2.7.1 via the `dev/less.php` script due to insecure use of `system()`. It allows remote command execution without authentication but requires `register_globals` to be enabled.

Description

dev/less.php in Family Connections CMS (FCMS) 2.5.0 - 2.7.1, when register_globals is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in the argv[1] parameter.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubywebappsphp
https://www.exploit-db.com/exploits/18208

This Metasploit module exploits a command injection vulnerability in Family Connections 2.7.1 via the `dev/less.php` script due to insecure use of `system()`. It allows remote command execution without authentication but requires `register_globals` to be enabled.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Family Connections 2.7.1
No auth needed
Prerequisites: register_globals enabled · access to /dev/less.php
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by mr_me · phpwebappsphp
https://www.exploit-db.com/exploits/18198

This exploit leverages a command injection vulnerability in Family Connections CMS versions 2.5.0 to 2.7.1 via the `argv[1]` parameter in `dev/less.php`. It allows remote command execution by injecting commands through the URL parameter, similar to CVE-2005-2651.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Family Connections CMS v2.5.0-v2.7.1
No auth needed
Prerequisites: PHP with `register_globals=On` and `register_argc_argv=Off` · Access to the `/dev/less.php` endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/familycms_less_exec.rb

This Metasploit module exploits a command injection vulnerability in Family Connections CMS 2.7.1 via the `dev/less.php` script, leveraging insecure use of `system()` with user-controlled input in `argv[1]`. It does not require authentication but relies on `register_globals` being enabled.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Family Connections CMS 2.7.1
No auth needed
Prerequisites: register_globals enabled · access to the target web application
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/47069
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/71618
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/18198
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/18208
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/77492

Scores

EPSS 0.3655
EPSS Percentile 98.3%

Details

CWE
CWE-94
Status published
Products (8)
haudenschilt/family_connections_cms 2.5.0
haudenschilt/family_connections_cms 2.5.1
haudenschilt/family_connections_cms 2.5.2
haudenschilt/family_connections_cms 2.5.3
haudenschilt/family_connections_cms 2.5.4
haudenschilt/family_connections_cms 2.6.0
haudenschilt/family_connections_cms 2.7.0
haudenschilt/family_connections_cms 2.7.1
Published Aug 30, 2012
Tracked Since Feb 18, 2026