CVE-2014-5519

Phpwiki - Code Injection

Title source: rule

Description

The Ploticus module in PhpWiki 1.5.0 allows remote attackers to execute arbitrary code via shell metacharacters in a device option in the edit[content] parameter to index.php/HeIp. NOTE: some of these details are obtained from third party information.

Exploits (2)

exploitdb WORKING POC

by Benjamin Harris · pythonwebappsphp

https://www.exploit-db.com/exploits/34451

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Benjamin Harris · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/phpwiki_ploticus_exec.rb

View Code ZIP pw:eip

References (7)

[Third Party Advisory, VDB Entry] http://osvdb.org/show/osvdb/110576

[Exploit] http://packetstormsecurity.com/files/128031/PhpWiki-Ploticus-Command-Injection.html

[Exploit] http://seclists.org/fulldisclosure/2014/Aug/77

[Exploit] http://seclists.org/oss-sec/2014/q3/456

[Exploit] http://seclists.org/oss-sec/2014/q3/465

[Third Party Advisory] http://secunia.com/advisories/60293

[Exploit] http://www.exploit-db.com/exploits/34451

Scores

EPSS 0.8262

EPSS Percentile 99.2%

Details

CWE

CWE-94

Status published

Products (1)

phpwiki_project/phpwiki 1.5.0

Published Sep 11, 2014

Tracked Since Feb 18, 2026