CVE-2013-1465

CRITICAL

CubeCart 5.0.0-5.2.0 - Remote Code Execution via Unserialization in Shipping Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-1465. PoCs published by EgiX.

AI-analyzed exploit summary The writeup describes a PHP object injection vulnerability in CubeCart <= 5.2.0, where user input passed through the $_POST['shipping'] parameter is not properly sanitized before being used in an unserialize() call. This can be exploited to inject arbitrary objects, potentially leading to configuration manipulation and further attacks.

Description

The Cubecart::_basket method in classes/cubecart.class.php in CubeCart 5.0.0 through 5.2.0 allows remote attackers to unserialize arbitrary PHP objects via a crafted shipping parameter, as demonstrated by modifying the application configuration using the Config object.

Exploits (1)

exploitdb WRITEUP VERIFIED

by EgiX · textwebappsphp

https://www.exploit-db.com/exploits/24465

View Code ZIP pw:eip

The writeup describes a PHP object injection vulnerability in CubeCart <= 5.2.0, where user input passed through the $_POST['shipping'] parameter is not properly sanitized before being used in an unserialize() call. This can be exploited to inject arbitrary objects, potentially leading to configuration manipulation and further attacks.

Classification

Writeup 100%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Theoretical

Target: CubeCart <= 5.2.0

No auth needed

Prerequisites: Access to the application's POST request handling

devstral-2 · analyzed Feb 16, 2026 Full analysis →