CVE-2013-4949

Machform 2 - Unauthenticated Arbitrary File Upload and Remote Code Execution via view.php

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-4949. PoCs published by Yashar shahinzadeh.

AI-analyzed exploit summary This exploit demonstrates arbitrary file upload and SQL injection/XSS vulnerabilities in Machform. The file upload allows attackers to upload malicious PHP shells, while the SQL injection and XSS can be triggered via crafted POST requests.

Description

Unrestricted file upload vulnerability in view.php in Machform 2 allows remote attackers to execute arbitrary PHP code by uploading a PHP file, then accessing it via a direct request to the file in the upload form's directory in data/.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Yashar shahinzadeh · textwebappsphp
https://www.exploit-db.com/exploits/26553

This exploit demonstrates arbitrary file upload and SQL injection/XSS vulnerabilities in Machform. The file upload allows attackers to upload malicious PHP shells, while the SQL injection and XSS can be triggered via crafted POST requests.

Classification
Working Poc 90%
Attack Type
Rce | Sqli | Xss
Complexity
Moderate
Reliability
Reliable
Target: Machform version 2
No auth needed
Prerequisites: Access to the target's view.php endpoint · A form with file upload functionality
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/85386
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/26553
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/94802

Scores

EPSS 0.0545
EPSS Percentile 91.7%

Details

Status published
Products (1)
machform/machform 2.0
Published Jul 29, 2013
Tracked Since Feb 18, 2026