CVE-2024-58284

HIGH

Popojicms - Code Injection

Title source: rule

Description

PopojiCMS 2.0.1 contains an authenticated remote command execution vulnerability that allows administrative users to inject malicious PHP code through the metadata settings endpoint. Attackers can log in and modify the meta content to create a web shell that executes arbitrary system commands through a GET parameter.

Exploits (1)

exploitdb WORKING POC

by Ahmet Ümit BAYRAM · pythonwebappsphp

https://www.exploit-db.com/exploits/52022

View Code ZIP pw:eip

References (5)

[Product] https://github.com/PopojiCMS/PopojiCMS

[Release Notes] https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/52022

[Product] https://www.popojicms.org/

[Third Party Advisory] https://www.vulncheck.com/advisories/popojicms-remote-command-execution-via-authenticated-metadata-settings

Scores

CVSS v3 7.2

EPSS 0.0079

EPSS Percentile 73.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (2)

popojicms/popojicms 2.0.1

PopojiCMS/PopojiCMS 2.0.1

Published Dec 10, 2025

Tracked Since Feb 18, 2026