CVE-2014-8770

MAGMI < 0.7.17a - Authenticated Remote Code Execution via ZIP File Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-8770. PoCs published by Parvinder Bhasin.

AI-analyzed exploit summary This exploit demonstrates a file inclusion vulnerability in MAGMI (Magento Mass Importer) v0.7.17a and older, allowing an attacker to upload a malicious PHP file disguised as a plugin. The uploaded file can execute arbitrary commands on the server, leading to remote code execution (RCE).

Description

Unrestricted file upload vulnerability in magmi/web/magmi.php in the MAGMI (aka Magento Mass Importer) plugin 0.7.17a and earlier for Magento Community Edition (CE) allows remote authenticated users to execute arbitrary code by uploading a ZIP file that contains a PHP file, then accessing the PHP file via a direct request to it in magmi/plugins/.

Exploits (1)

exploitdb WORKING POC
by Parvinder Bhasin · textwebappsphp
https://www.exploit-db.com/exploits/35052

This exploit demonstrates a file inclusion vulnerability in MAGMI (Magento Mass Importer) v0.7.17a and older, allowing an attacker to upload a malicious PHP file disguised as a plugin. The uploaded file can execute arbitrary commands on the server, leading to remote code execution (RCE).

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: MAGMI (Magento Mass Importer) v0.7.17a and older
No auth needed
Prerequisites: Access to the MAGMI web interface · Ability to upload a zipped PHP file
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Broken Link vdb-entry x_refsource_osvdb
http://osvdb.org/show/osvdb/113848
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/35052

Scores

EPSS 0.1317
EPSS Percentile 94.3%

Details

CWE
CWE-94
Status published
Products (2)
dweeves/magmi 0Packagist
magmi_project/magmi < 0.7.17a
Published Nov 13, 2014
Tracked Since Feb 18, 2026