CVE-2012-10056

HIGH

PHP Volunteer Management System v1.0.2 - Code Injection

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2012-10056. PoCs published by Metasploit, Ashoo, including Metasploit module exploits/multi/http/php_volunteer_upload_exec.

AI-analyzed exploit summary This Metasploit module exploits an arbitrary file upload vulnerability in PHP Volunteer Management System v1.0.2, allowing authenticated users to upload and execute malicious PHP payloads.

Description

PHP Volunteer Management System v1.0.2 contains an arbitrary file upload vulnerability in its document upload functionality. Authenticated users can upload files to the mods/documents/uploads/ directory without any restriction on file type or extension. Because this directory is publicly accessible and lacks execution controls, attackers can upload a malicious PHP payload and execute it remotely. The application ships with default credentials, making exploitation trivial. Once authenticated, the attacker can upload a PHP shell and trigger it via a direct GET request.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubywebappsphp

https://www.exploit-db.com/exploits/18957

View Code ZIP pw:eip

This Metasploit module exploits an arbitrary file upload vulnerability in PHP Volunteer Management System v1.0.2, allowing authenticated users to upload and execute malicious PHP payloads.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PHP Volunteer Management System v1.0.2

Auth required

Prerequisites: Network access to the target · Valid credentials (default: admin:volunteer)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WRITEUP VERIFIED

by Ashoo · textwebappsphp

https://www.exploit-db.com/exploits/18941

View Code ZIP pw:eip

This is a writeup detailing two vulnerabilities in PHP Volunteer Management System v1.0.2: unrestricted file upload leading to RCE and persistent XSS. It provides PoC steps but no actual exploit code.

Classification

Writeup 90%

Attack Type

Rce | Xss

Complexity

Trivial

Reliability

Reliable

Target: PHP Volunteer Management System v1.0.2

Auth required

Prerequisites: access to upload functionality · valid credentials for XSS

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/php_volunteer_upload_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits an arbitrary file upload vulnerability in PHP Volunteer Management System v1.0.2, allowing authenticated attackers to upload and execute malicious PHP files. The exploit leverages default credentials (admin:volunteer) to authenticate, uploads a PHP payload, and executes it by accessing the uploaded file.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PHP Volunteer Management System v1.0.2

Auth required

Prerequisites: Network access to the target application · Default credentials (admin:volunteer) or valid credentials · Target application version v1.0.2 or prior

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →