CVE-2013-4948

Machform 2 - SQL Injection via element_2 Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-4948. PoCs published by Yashar shahinzadeh.

AI-analyzed exploit summary This exploit demonstrates arbitrary file upload and SQL injection/XSS vulnerabilities in Machform. The file upload allows attackers to upload malicious PHP shells, while the SQL injection and XSS can be triggered via crafted POST requests.

Description

SQL injection vulnerability in view.php in Machform 2 allows remote attackers to execute arbitrary SQL commands via the element_2 parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Yashar shahinzadeh · textwebappsphp
https://www.exploit-db.com/exploits/26553

This exploit demonstrates arbitrary file upload and SQL injection/XSS vulnerabilities in Machform. The file upload allows attackers to upload malicious PHP shells, while the SQL injection and XSS can be triggered via crafted POST requests.

Classification
Working Poc 90%
Attack Type
Rce | Sqli | Xss
Complexity
Moderate
Reliability
Reliable
Target: Machform version 2
No auth needed
Prerequisites: Access to the target's view.php endpoint · A form with file upload functionality
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/26553
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/94801
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/85388

Scores

EPSS 0.0354
EPSS Percentile 87.8%

Details

CWE
CWE-89
Status published
Products (1)
machform/machform 2.0
Published Jul 29, 2013
Tracked Since Feb 18, 2026