CVE-2014-7146

MantisBT - Remote Code Execution via XmlImportExport Plugin Preg Replace

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2014-7146. PoCs published by Metasploit, Egidio Romano, including Metasploit module exploits/multi/http/mantisbt_php_exec.

AI-analyzed exploit summary This Metasploit module exploits a post-authentication PHP code injection vulnerability in MantisBT's XmlImportExport plugin via the `preg_replace` function with the `/e` modifier. It allows authenticated attackers to execute arbitrary PHP code by uploading a maliciously crafted XML file.

Description

The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a crafted (1) description field or (2) issuelink attribute in an XML file, which is not properly handled when executing the preg_replace function with the e modifier.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotephp
https://www.exploit-db.com/exploits/35283

This Metasploit module exploits a post-authentication PHP code injection vulnerability in MantisBT's XmlImportExport plugin via the `preg_replace` function with the `/e` modifier. It allows authenticated attackers to execute arbitrary PHP code by uploading a maliciously crafted XML file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: MantisBT with XmlImportExport plugin versions 1.2.0a3 to 1.2.17
Auth required
Prerequisites: Valid credentials for MantisBT · XmlImportExport plugin installed and accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
rubywebappsmultiple
https://www.exploit-db.com/exploits/41685

This Metasploit module exploits a post-authentication PHP code injection vulnerability in MantisBT's XmlImportExport plugin (CVE-2014-7146). It leverages the /e modifier in preg_replace() to execute arbitrary PHP code via crafted XML input, bypassing user level checks to allow exploitation even by anonymous users.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: MantisBT 1.2.0a3 to 1.2.17 with XmlImportExport plugin
No auth needed
Prerequisites: XmlImportExport plugin installed · Network access to MantisBT instance
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC GREAT
by Egidio Romano · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/mantisbt_php_exec.rb

This Metasploit module exploits a PHP code injection vulnerability in MantisBT's XmlImportExport plugin (CVE-2014-7146, CVE-2014-8598) by leveraging the /e modifier in preg_replace() to execute arbitrary PHP code via a crafted XML file. It supports authentication bypass via anonymous login if enabled.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: MantisBT 1.2.0a3 to 1.2.17 with XmlImportExport plugin
No auth needed
Prerequisites: XmlImportExport plugin installed · Network access to MantisBT · Valid credentials or anonymous login enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/70993
Various Sources x_refsource_confirm
http://www.mantisbt.org/bugs/view.php?id=17725
Vendor Advisory x_refsource_confirm
https://github.com/mantisbt/mantisbt/commit/bed19db9
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/98572
Vendor Advisory x_refsource_confirm
https://github.com/mantisbt/mantisbt/commit/84017535
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/62101
Mailing List mailing-list x_refsource_mlist
http://seclists.org/oss-sec/2014/q4/576
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2015/dsa-3120

Scores

EPSS 0.8039
EPSS Percentile 99.2%

Details

CWE
CWE-20
Status published
Products (1)
mantisbt/mantisbt 1.2.17
Published Nov 18, 2014
Tracked Since Feb 18, 2026