CVE-2021-44967

HIGH

LimeSurvey 5.2.4 - Authenticated Remote Code Execution via Plugin Upload

Title source: llm

Exploitation Summary

EIP tracks 5 public exploits for CVE-2021-44967. PoCs published by Y1LD1R1M, D3Ext, monke443.

AI-analyzed exploit summary This exploit demonstrates an authenticated RCE in LimeSurvey 5.2.4 by uploading a malicious plugin via the plugin manager, then activating it to trigger a reverse shell. It chains CSRF token retrieval, authentication, plugin upload, installation, and activation.

Description

A Remote Code Execution (RCE) vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file. NOTE: the Supplier's position is that plugins intentionally can contain arbitrary PHP code, and can only be installed by a superadmin, and therefore the security model is not violated by this finding.

Exploits (5)

exploitdb WORKING POC

by Y1LD1R1M · pythonwebappsphp

https://www.exploit-db.com/exploits/50573

View Code ZIP pw:eip

This exploit demonstrates an authenticated RCE in LimeSurvey 5.2.4 by uploading a malicious plugin via the plugin manager, then activating it to trigger a reverse shell. It chains CSRF token retrieval, authentication, plugin upload, installation, and activation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: LimeSurvey 5.2.4

Auth required

Prerequisites: Valid credentials for LimeSurvey admin panel · Network access to the target · Prepared malicious plugin file

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 6 stars

by D3Ext · poc

https://github.com/D3Ext/CVE-2021-44967

View Code ZIP pw:eip

This is a functional exploit for CVE-2021-44967, an authenticated RCE vulnerability in LimeSurvey 5.2.x. It leverages plugin upload functionality to deploy a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: LimeSurvey 5.2.x

Auth required

Prerequisites: Valid credentials for LimeSurvey admin panel · Network access to target · Ability to receive reverse shell

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by monke443 · poc

https://github.com/monke443/CVE-2021-44967

View Code ZIP pw:eip

This exploit leverages an authenticated RCE vulnerability in LimeSurvey 5.2.4 by uploading a malicious plugin containing a PHP reverse shell. The script automates login, plugin upload, installation, activation, and execution to achieve remote command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: LimeSurvey 5.2.4

Auth required

Prerequisites: Valid superadmin credentials · Network access to the target · Listener setup for reverse shell

MITRE ATT&CK

T1210 - Exploitation of Remote Services T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by godylockz · poc

https://github.com/godylockz/CVE-2021-44967

View Code ZIP pw:eip

This is a functional exploit for CVE-2021-44967, which allows authenticated users to upload a malicious PHP plugin to LimeSurvey, leading to remote code execution via a reverse shell. The script automates authentication, plugin upload, activation, and payload delivery.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: LimeSurvey Community Edition (tested on 6.6.4, affects 5.2.4)

Auth required

Prerequisites: Valid LimeSurvey credentials · Network access to the target · Ability to receive reverse shell connections

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by kikechans · poc

https://github.com/kikechans/-Limesurvey-RCE-CVE-2021-44967

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-44967, an authenticated RCE vulnerability in LimeSurvey. The exploit automates the process of logging in, uploading a malicious plugin, and triggering a reverse shell.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: LimeSurvey 5.2.x, 6.x

Auth required

Prerequisites: Administrative credentials for LimeSurvey · Network access to the target · Listener setup for reverse shell

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 27, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory

https://github.com/Y1LD1R1M-1337/Limesurvey-RCE

View Exploit ZIP pw:eip

Exploit, Third Party Advisory, VDB Entry

https://www.exploit-db.com/exploits/50573

Various Sources

https://www.limesurvey.org/manual/Plugins_-_advanced

Scores

CVSS v3 8.8

EPSS 0.1268

EPSS Percentile 95.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

limesurvey/limesurvey 5.2.4

Published Feb 24, 2022

Tracked Since Feb 18, 2026