CP
cyberpings
VulnerabilitiesHIGH

MetInfo CMS Vulnerability - PHP Code Injection Risk

Featured image for MetInfo CMS Vulnerability - PHP Code Injection Risk
FDFull Disclosure
Summary by CyberPings Editorial·AI-assisted·Reviewed by Rohit Rana
Ingested:
🎯

Basically, there's a flaw in MetInfo CMS that lets hackers run harmful code remotely.

Quick Summary

A critical vulnerability in MetInfo CMS could let attackers execute arbitrary PHP code. Versions 7.9, 8.0, and 8.1 are at risk. Stay alert for updates and potential fixes.

What Happened

A significant PHP code injection vulnerability has been discovered in MetInfo CMS, affecting versions 7.9, 8.0, and 8.1. The flaw lies within the weixinreply.class.php script, specifically in the wxAdminLogin() method. This vulnerability allows attackers to exploit the system by injecting malicious PHP code.

The Flaw

The issue arises from the improper sanitization of user input. Specifically, the parameters EventKey and FromUserName from HTTP requests are not adequately checked before being processed. This oversight allows attackers to use Path Traversal sequences to manipulate the cache::get() method, potentially leading to the inclusion of arbitrary PHP files.

What's at Risk

If exploited, this vulnerability could lead to unauthenticated Remote Code Execution (RCE). Attackers could execute arbitrary PHP code on the server, which poses a severe security risk. This is particularly concerning for organizations using MetInfo CMS in production environments, especially those that have the WeChat plugin installed.

Proof of Concept

A proof of concept is available, demonstrating how this vulnerability can be exploited. You can find it here.

Patch Status

Currently, there is no official solution or patch available from the MetInfo team. This lack of response from the vendor raises concerns about the urgency and seriousness of addressing the vulnerability.

Disclosure Timeline

  • 26/02/2026: Vendor contacted via multiple email addresses, no response.
  • 07/03/2026: Follow-up attempt, no response.
  • 28/03/2026: Another attempt to contact the vendor, still no reply.
  • 29/03/2026: Attempted to reach out through Weibo, no response.
  • 30/03/2026: CVE identifier requested.
  • 31/03/2026: CVE identifier assigned.
  • 01/04/2026: Public disclosure of the vulnerability.

What You Should Do

Organizations using affected versions of MetInfo CMS should:

  • Monitor for any unusual activity on their systems.
  • Consider disabling the WeChat plugin if it is not essential.
  • Stay updated on any announcements from MetInfo regarding a patch or mitigation strategies.

In summary, the MetInfo CMS PHP code injection vulnerability poses a high risk for users. Immediate attention and monitoring are advised until a fix is provided.

🔒 Pro insight: The lack of vendor response highlights a concerning trend in vulnerability management, emphasizing the need for proactive security measures.

Original article from

FDFull Disclosure
Read Full Article

Share

Related Pings

CRITICALVulnerabilities

Fortinet FortiClient EMS - Critical 0-Day Vulnerability Exploited

A critical zero-day vulnerability in FortiClient EMS is actively exploited. Fortinet has released emergency patches and urges immediate action from users.

Cyber Security News·
HIGHVulnerabilities

Video Conferencing Bug - CISA Orders Agencies to Patch

A serious vulnerability in TrueConf video conferencing software is being exploited by Chinese hackers. CISA has mandated a two-week patch deadline for federal agencies. Immediate action is essential to safeguard sensitive data and communications.

The Record·
HIGHVulnerabilities

Post-Deployment Vulnerability Detection - Rethinking Strategies

A new approach to vulnerability detection is needed post-deployment. Many organizations overlook risks from newly disclosed CVEs, leaving systems exposed. Rethinking strategies can enhance security.

OpenSSF Blog·
HIGHVulnerabilities

Mobile Vulnerabilities - Enterprises Struggle with Control

Mobile devices are increasingly vulnerable due to outdated software and hidden threats like Shadow AI. This puts sensitive enterprise data at risk. Organizations must act to secure their mobile environments.

SecurityWeek·
HIGHVulnerabilities

CVE-2026-33691 - OWASP CRS Whitespace Padding Bypass Alert

A new vulnerability in OWASP CRS allows attackers to upload dangerous files by exploiting whitespace in filenames. This affects many web applications, risking severe security breaches. Immediate updates are necessary to protect your systems.

Full Disclosure·
HIGHVulnerabilities

Broken Access Control - High Risk in Open WebUI Discovered

A serious vulnerability has been found in Open WebUI, allowing low-privileged users to access sensitive data. This flaw, CVE-2026-34222, poses a high risk. Users must update to the latest version to secure their systems.

Full Disclosure·