CVE-2020-37071

CRITICAL

CraftCMS 3 vCard Plugin 1.0.0 - Code Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37071. PoCs published by Wade Guest.

AI-analyzed exploit summary This exploit leverages a deserialization vulnerability in CraftCMS vCard Plugin 1.0.0 to achieve unauthenticated remote code execution. It generates a malicious payload, encrypts it, and triggers deserialization via a crafted URL, resulting in arbitrary file write and command execution.

Description

CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the plugin's vCard download functionality with a specially crafted request.

Exploits (1)

exploitdb WORKING POC

by Wade Guest · pythonwebappsphp

https://www.exploit-db.com/exploits/48492

View Code ZIP pw:eip

This exploit leverages a deserialization vulnerability in CraftCMS vCard Plugin 1.0.0 to achieve unauthenticated remote code execution. It generates a malicious payload, encrypts it, and triggers deserialization via a crafted URL, resulting in arbitrary file write and command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: CraftCMS vCard Plugin 1.0.0

No auth needed

Prerequisites: Target must be running CraftCMS with vulnerable vCard Plugin 1.0.0 · PHP must be installed on the attacker's machine for payload encryption

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →