CVE-2020-7246

Exploitation Summary

EIP tracks 8 public exploits for CVE-2020-7246. PoCs published by RedHatAugust, Leon Trappett, Tobin Shields, including Metasploit module exploits/multi/http/qdpm_authenticated_rce.

AI-analyzed exploit summary This exploit leverages a path traversal vulnerability in qdPM 9.1 to upload a malicious PHP backdoor, enabling remote code execution. It requires authentication and manipulates file upload functionality to bypass restrictions.

Description

A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users['photop_preview'] delete photo feature, allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.

Exploits (8)

exploitdb WORKING POC VERIFIED

by RedHatAugust · pythonwebappsphp

https://www.exploit-db.com/exploits/50944

View Code ZIP pw:eip

This exploit leverages a path traversal vulnerability in qdPM 9.1 to upload a malicious PHP backdoor, enabling remote code execution. It requires authentication and manipulates file upload functionality to bypass restrictions.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: qdPM <= 9.1

Auth required

Prerequisites: Valid user credentials · Access to the target application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Leon Trappett · pythonwebappsphp

https://www.exploit-db.com/exploits/50175

View Code ZIP pw:eip

This exploit leverages a path traversal vulnerability in qdPM 9.1 to upload a malicious PHP backdoor, enabling remote code execution. It requires authentication and manipulates file upload functionality to bypass restrictions.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: qdPM <= 9.1

Auth required

Prerequisites: Valid user credentials · Access to the target application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Tobin Shields · pythonwebappsmultiple

https://www.exploit-db.com/exploits/48146

View Code ZIP pw:eip

This exploit automates the upload of a PHP web shell to qdPM via the 'upload a profile photo' feature, bypassing previous fixes. It establishes a reverse shell by triggering the uploaded payload and includes functionality to remove .htaccess files to ensure execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: qdPM v9.1 and below

Auth required

Prerequisites: Valid user credentials · Network access to the target qdPM instance · PHP reverse shell payload

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505 - Server Software Component T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Rishal Dwivedi · pythonwebappsphp

https://www.exploit-db.com/exploits/47954

View Code ZIP pw:eip

This exploit leverages a path traversal vulnerability in qdPM 9.1 to upload a malicious PHP file, achieving remote code execution. It authenticates with user credentials, manipulates file upload parameters, and places a backdoor in the uploads directory.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: qdPM <= 9.1

Auth required

Prerequisites: Valid user credentials · Access to the login page · File upload functionality enabled

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by pswalia2u · poc

https://github.com/pswalia2u/CVE-2020-7246

View Code ZIP pw:eip

This repository provides a Dockerized environment for CVE-2020-7246, a vulnerability in qdPM. It includes a pre-configured lab setup with a vulnerable qdPM instance and references an external Python2 exploit (ExploitDB 47954) for demonstration.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: qdPM (version not explicitly specified, but likely older versions)

Auth required

Prerequisites: Docker · Python2 · Access to the vulnerable qdPM instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by arafatansari · poc

https://github.com/arafatansari/SecAssignment

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-7246, targeting qdPM 9.1. The exploit leverages a path traversal vulnerability to upload a malicious PHP backdoor, achieving remote code execution (RCE).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: qdPM 9.1

Auth required

Prerequisites: Valid user credentials · Access to the target application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by j0hn30n · poc

https://github.com/j0hn30n/CVE-2020-7246

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-7246, targeting qdPM versions before 9.1. The exploit leverages a file upload vulnerability to achieve remote code execution (RCE) via a PHP reverse shell. The provided Python script automates the login process and payload delivery, while the PHP payload establishes a reverse shell connection.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: qdPM < 9.1

Auth required

Prerequisites: Valid credentials for the qdPM application · Network access to the target server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Rishal Dwivedi (Loginsoft), Leon Trappett (thepcn3rd), Giacomo Casoni · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/qdpm_authenticated_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits an authenticated arbitrary PHP file upload vulnerability in qdPM 9.1 and earlier via path traversal in the profile photo functionality, bypassing .htaccess protection to achieve remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: qdPM <= 9.1

Auth required

Prerequisites: Valid credentials for qdPM · Network access to the target

MITRE ATT&CK

T1059.004 - Unix Shell T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Exploit, Third Party Advisory x_refsource_misc

https://docs.google.com/document/d/13ZZSm0DL1Ie6r_fU5ZdDKGZ4defFqiFXMG--zDo8S10/edit?usp=sharing

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/156063/qdPM-9.1-Remote-Code-Execution.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/156571/qdPM-Remote-Code-Execution.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/167264/qdPM-9.1-Remote-Code-Execution.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/168559/qdPM-9.1-Authenticated-Shell-Upload.html

qdPM < 9.1 - Authenticated Remote Code Execution via Profile Photo Path Traversal

Exploitation Summary

Description

Exploits (8)

References (5)

Scores

Lab Environment

Details