CVE-2018-7448

HIGH

CMS Made Simple 2.1.6 - Remote Code Execution via Timezone Parameter in Installation

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-7448. PoCs published by Keerati T., b1d0ws.

AI-analyzed exploit summary This exploit demonstrates a Remote Code Execution (RCE) vulnerability in CMS Made Simple 2.1.6 by injecting arbitrary PHP code into the 'timezone' parameter during the installation process. The injected code is written to the 'config.php' file, allowing an attacker to execute OS commands via a crafted HTTP request.

Description

Remote code execution vulnerability in /cmsms-2.1.6-install.php/index.php in CMS Made Simple version 2.1.6 allows remote attackers to inject arbitrary PHP code via the "timezone" parameter in step 4 of a fresh installation procedure.

Exploits (2)

exploitdb WORKING POC

by Keerati T. · textwebappsphp

https://www.exploit-db.com/exploits/44192

View Code ZIP pw:eip

This exploit demonstrates a Remote Code Execution (RCE) vulnerability in CMS Made Simple 2.1.6 by injecting arbitrary PHP code into the 'timezone' parameter during the installation process. The injected code is written to the 'config.php' file, allowing an attacker to execute OS commands via a crafted HTTP request.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: CMS Made Simple 2.1.6

No auth needed

Prerequisites: Access to the installation page · Valid database credentials · Ability to intercept and modify HTTP requests

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by b1d0ws · poc

https://github.com/b1d0ws/exploit-cve-2018-7448

View Code ZIP pw:eip

This Python script automates the exploitation of CVE-2018-7448, a remote code execution vulnerability in CMS Made Simple 2.1.6. It leverages a command injection flaw during the installation process to deploy a webshell for further exploitation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: CMS Made Simple 2.1.6

No auth needed

Prerequisites: Access to the CMS Made Simple installation page · Network connectivity to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44192/

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://packetstormsecurity.com/files/146568/CMS-Made-Simple-2.1.6-Remote-Code-Execution.html

Release Notes x_refsource_misc

http://dev.cmsmadesimple.org/project/changelog/5471

Scores

CVSS v3 7.5

EPSS 0.1325

EPSS Percentile 95.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

cmsmadesimple/cms_made_simple 2.1.6

Published Feb 26, 2018

Tracked Since Feb 18, 2026