CVE-2019-9761

HIGH

PHPSHE 1.7 - Unauthenticated XML External Entity Injection via wechat_getxml

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-9761. PoCs published by koyshe.

AI-analyzed exploit summary The document details two vulnerabilities in phpshe: a blind XXE in the WeChat payment plugin and an SQL injection in the Alipay payment plugin. It includes technical analysis, code paths, and PoC examples for both vulnerabilities.

Description

An XXE issue was discovered in PHPSHE 1.7, which can be used to read any file in the system or scan the internal network without authentication. This occurs because of the call to wechat_getxml in include/plugin/payment/wechat/notify_url.php.

Exploits (1)

gitee WRITEUP 48 stars

by koyshe · phpwriteup

https://gitee.com/koyshe/phpshe/issues/ITC0C

View Code ZIP pw:eip

The document details two vulnerabilities in phpshe: a blind XXE in the WeChat payment plugin and an SQL injection in the Alipay payment plugin. It includes technical analysis, code paths, and PoC examples for both vulnerabilities.

Classification

Writeup 95%

Attack Type

Xxe | Sqli

Complexity

Moderate

Reliability

Reliable

Target: phpshe 1.7

No auth needed

Prerequisites: libxml version < 2.9.0 for XXE · access to payment endpoints

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Mar 04, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

https://gitee.com/koyshe/phpshe/issues/ITC0C

Scores

CVSS v3 7.5

EPSS 0.0171

EPSS Percentile 74.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-611

Status published

Products (1)

phpshe/phpshe 1.7

Published Mar 14, 2019

Tracked Since Feb 18, 2026