CVE-2022-50944

HIGH

Aero CMS 0.0.1 PHP Code Injection via posts.php

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-50944. PoCs published by Hubert Wojciechowski.

AI-analyzed exploit summary This exploit demonstrates a PHP code injection vulnerability in Aero CMS v0.0.1 by uploading a malicious PHP file disguised as an image. The payload includes a DNS callback to confirm execution, proving remote code execution (RCE) via file upload.

Description

Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=add_post parameter, and the uploaded files are executed by the server.

Exploits (1)

exploitdb WORKING POC

by Hubert Wojciechowski · textwebappsphp

https://www.exploit-db.com/exploits/51085

View Code ZIP pw:eip

This exploit demonstrates a PHP code injection vulnerability in Aero CMS v0.0.1 by uploading a malicious PHP file disguised as an image. The payload includes a DNS callback to confirm execution, proving remote code execution (RCE) via file upload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Aero CMS v0.0.1

Auth required

Prerequisites: admin access to the Aero CMS admin panel · file upload functionality enabled

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 10, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-51085

https://www.exploit-db.com/exploits/51085

Product product

Official Product Homepage

https://github.com/MegaTKC/AeroCMS

Third Party Advisory third-party-advisory

VulnCheck Advisory: Aero CMS 0.0.1 PHP Code Injection via posts.php

https://www.vulncheck.com/advisories/aero-cms-php-code-injection-via-posts-php

Scores

CVSS v3 8.8

EPSS 0.0035

EPSS Percentile 26.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (1)

MegaTKC/Aero CMS 0.0.1

Published May 10, 2026

Tracked Since May 10, 2026