CVE-2014-2223

Plogger < 1.0 - Authenticated Arbitrary File Upload and Remote Code Execution via ZIP Archive

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-2223. PoCs published by b0z.

AI-analyzed exploit summary This exploit leverages an authenticated arbitrary file upload vulnerability in Plogger prior to 1.0-RC1. It logs in, creates a malicious ZIP archive containing a PHP backdoor, and uploads it to achieve remote code execution.

Description

Unrestricted file upload vulnerability in plog-admin/plog-upload.php in Plogger 1.0 RC1 and earlier allows remote authenticated users to execute arbitrary code by uploading a ZIP file that contains a PHP file and a non-zero length PNG file, then accessing the PHP file via a direct request to it in plog-content/uploads/archive/.

Exploits (1)

exploitdb WORKING POC
by b0z · pythonwebappsphp
https://www.exploit-db.com/exploits/34447

This exploit leverages an authenticated arbitrary file upload vulnerability in Plogger prior to 1.0-RC1. It logs in, creates a malicious ZIP archive containing a PHP backdoor, and uploads it to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Plogger prior to 1.0-RC1
Auth required
Prerequisites: Valid credentials for Plogger admin panel · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Various Sources x_refsource_misc
https://www.sysdream.com/CVE-2014-2223_CVE-2014-2224
Mailing List mailing-list x_refsource_mlist
http://seclists.org/oss-sec/2014/q1/443
Exploit mailing-list x_refsource_mlist
http://seclists.org/oss-sec/2014/q1/446
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/34447

Scores

EPSS 0.1002
EPSS Percentile 95.0%

Details

CWE
CWE-94
Status published
Products (1)
plogger/plogger < 1.0
Published Sep 11, 2014
Tracked Since Feb 18, 2026