CVE-2021-40373

CRITICAL

playSMS < 1.4.5 - Arbitrary Code Execution via Core Main Config PHP Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-40373. PoCs published by maikroservice.

AI-analyzed exploit summary This PoC demonstrates a remote code execution (RCE) vulnerability in PlaySMS 1.4.3 by leveraging PHP code injection in the configuration page. The attacker can execute arbitrary commands by injecting PHP system calls to download and execute a reverse shell script.

Description

playSMS before 1.4.5 allows Arbitrary Code Execution by entering PHP code at the #tabs-information-page of core_main_config, and then executing that code via the index.php?app=main&inc=core_welcome URI.

Exploits (1)

nomisec WORKING POC 1 stars
by maikroservice · poc
https://github.com/maikroservice/CVE-2021-40373

This PoC demonstrates a remote code execution (RCE) vulnerability in PlaySMS 1.4.3 by leveraging PHP code injection in the configuration page. The attacker can execute arbitrary commands by injecting PHP system calls to download and execute a reverse shell script.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PlaySMS 1.4.3
Auth required
Prerequisites: Access to admin credentials · Network access to the target · Attacker-controlled server to host malicious script
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/maikroservice/CVE-2021-40373
Release Notes, Vendor Advisory x_refsource_confirm
https://playsms.org/2021/09/04/playsms-1-4-5-released/

Scores

CVSS v3 9.8
EPSS 0.0466
EPSS Percentile 90.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-94
Status published
Products (1)
playsms/playsms < 1.4.5
Published Sep 10, 2021
Tracked Since Feb 18, 2026