CVE-2026-2898

MEDIUM

funadmin <7.1.0-rc4 - Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-2898. PoCs published by XiaomingX, aykhan32.

AI-analyzed exploit summary The repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The exploit includes data extraction logic for WordPress admin credentials and hashes.

Description

A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloud_account results in deserialization. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Exploits (2)

github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-2898

The repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The exploit includes data extraction logic for WordPress admin credentials and hashes.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress Quiz Maker <= 6.7.0.56
No auth needed
Prerequisites: target WordPress URL · path to quiz page · vulnerable header (default: X-Forwarded-For)
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by aykhan32 · poc
https://github.com/aykhan32/CVE-2026-2898-FunAdmin-Deserialization

The repository contains a functional exploit for CVE-2026-2898, targeting an insecure deserialization vulnerability in FunAdmin's AuthCloudService::getMember. The exploit sends a crafted serialized payload via the cloud_account parameter to achieve object injection, potentially leading to RCE.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: FunAdmin <= 7.1.0-rc4
No auth needed
Prerequisites: Target URL · Serialized payload
devstral-2 · analyzed Feb 24, 2026 Full analysis →

References (5)

Core 5
Core References
Permissions Required, VDB Entry vdb-entry technical-description
https://vuldb.com/?id.347209
Permissions Required, VDB Entry signature permissions-required
https://vuldb.com/?ctiid.347209
Permissions Required, VDB Entry third-party-advisory
https://vuldb.com/?submit.753976
Issue Tracking issue-tracking
https://github.com/I4m6da/CVE/issues/5
Issue Tracking exploit issue-tracking
https://github.com/I4m6da/CVE/issues/5#issue-3890444166

Scores

CVSS v3 5.5
EPSS 0.0004
EPSS Percentile 11.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-20 CWE-502
Status published
Products (3)
funadmin/funadmin 7.1.0 rc1 (4 CPE variants)
funadmin/funadmin < 7.1.0
funadmin/funadmin 0Packagist
Published Feb 22, 2026
Tracked Since Feb 22, 2026