CVE-2019-11446

HIGH

ATutor < 2.2.4 - Authenticated Arbitrary File Upload via File Manager

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-11446. PoCs published by AkkuS.

AI-analyzed exploit summary This Metasploit module exploits an arbitrary file upload vulnerability in ATutor < 2.2.4 by bypassing case-sensitive extension checks (e.g., '.phP') to achieve remote code execution. It authenticates as a teacher, creates a course, and uploads a malicious PHP payload.

Description

An issue was discovered in ATutor through 2.2.4. It allows the user to run commands on the server with the teacher user privilege. The Upload Files section in the File Manager field contains an arbitrary file upload vulnerability via upload.php. The $IllegalExtensions value only lists lowercase (and thus .phP is a bypass), and omits .shtml and .phtml.

Exploits (1)

exploitdb WORKING POC
by AkkuS · rubywebappsphp
https://www.exploit-db.com/exploits/46691

This Metasploit module exploits an arbitrary file upload vulnerability in ATutor < 2.2.4 by bypassing case-sensitive extension checks (e.g., '.phP') to achieve remote code execution. It authenticates as a teacher, creates a course, and uploads a malicious PHP payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ATutor < 2.2.4
Auth required
Prerequisites: Valid teacher credentials · Access to the target application · Content directory path
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46691/

Scores

CVSS v3 8.8
EPSS 0.0383
EPSS Percentile 88.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-434
Status published
Products (1)
atutor/atutor < 2.2.4
Published Apr 22, 2019
Tracked Since Feb 18, 2026