CVE-2019-9692

Exploitation Summary

EIP tracks 3 public exploits for CVE-2019-9692. PoCs published by Metasploit, Daniele Scanu, Daniele Scanu, Fabio Cogno, including Metasploit module exploits/multi/http/cmsms_showtime2_rce.

AI-analyzed exploit summary This Metasploit module exploits a file upload vulnerability in CMS Made Simple's Showtime2 module (CVE-2019-9692), allowing authenticated users to upload malicious PHP files disguised as watermark images, leading to remote code execution.

Description

class.showtime2_image.php in CMS Made Simple (CMSMS) before 2.2.10 does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG).

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotephp

https://www.exploit-db.com/exploits/46627

View Code ZIP pw:eip

This Metasploit module exploits a file upload vulnerability in CMS Made Simple's Showtime2 module (CVE-2019-9692), allowing authenticated users to upload malicious PHP files disguised as watermark images, leading to remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: CMS Made Simple (CMSMS) Showtime2 module <= 3.6.2

Auth required

Prerequisites: Authenticated user with 'Use Showtime2' privilege · Showtime2 module installed and vulnerable version

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1204 - User Execution T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Daniele Scanu · pythonwebappsphp

https://www.exploit-db.com/exploits/46546

View Code ZIP pw:eip

This exploit targets an authenticated arbitrary file upload vulnerability in the Showtime2 module for CMS Made Simple. It logs in, uploads a PHP shell, and spawns a reverse shell using netcat.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: CMS Made Simple with Showtime2 module <= 3.6.2

Auth required

Prerequisites: Valid admin credentials · Showtime2 module installed and vulnerable

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC NORMAL

by Daniele Scanu, Fabio Cogno · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/cmsms_showtime2_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits a file upload vulnerability in CMS Made Simple's Showtime2 module (CVE-2019-9692), allowing authenticated users to upload malicious PHP files and achieve remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: CMS Made Simple (CMSMS) Showtime2 module <= 3.6.2

Auth required

Prerequisites: Authenticated user with 'Use Showtime2' privilege · Showtime2 module installed and vulnerable

MITRE ATT&CK