CVE-2023-53895

CRITICAL

PimpMyLog 1.7.14 - Unauthenticated Admin Account Creation via Configuration Endpoint

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-53895. PoCs published by thoughtfault.

AI-analyzed exploit summary This exploit leverages improper access control in PimpMyLog to create an admin account and then hides it using a stored XSS payload. The script automates the creation of a backdoor account and obscures it from the user list via JavaScript manipulation.

Description

PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account, and potentially access sensitive server-side log information and environmental variables.

Exploits (1)

exploitdb WORKING POC

by thoughtfault · pythonwebappsphp

https://www.exploit-db.com/exploits/51593

View Code ZIP pw:eip

This exploit leverages improper access control in PimpMyLog to create an admin account and then hides it using a stored XSS payload. The script automates the creation of a backdoor account and obscures it from the user list via JavaScript manipulation.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: PimpMyLog v1.5.2-1.7.14

No auth needed

Prerequisites: Network access to the target application · The configure.php endpoint must be accessible

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Product product

https://www.pimpmylog.com/

Exploit, Third Party Advisory, VDB Entry exploit

https://www.exploit-db.com/exploits/51593

Product product

https://github.com/potsky/PimpMyLog

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/pimpmylog-improper-access-control-via-account-creation-endpoint

Scores

CVSS v3 9.8

EPSS 0.0057

EPSS Percentile 42.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-285

Status published

Products (2)

Pimpmylog/PimpMyLog 1.7.14

potsky/pimp_my_log 1.7.14

Published Dec 16, 2025

Tracked Since Feb 18, 2026