This exploit demonstrates a PHP code injection vulnerability in Lepton CMS 2.2.0/2.2.1 via the 'Database User' field during installation. The lack of input validation allows arbitrary PHP code execution by injecting malicious payloads into the 'config.php' file.
Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target:Lepton CMS 2.2.0 / 2.2.1
No auth needed
Prerequisites:Access to the Lepton CMS installation wizard · Ability to modify the 'Database User' field during setup