Share
## https://sploitus.com/exploit?id=32E620FD-8A80-506B-9579-4AF881B8D982
# Typecho GetText Plural-Forms eval() Remote Code Execution
## Overview
A code injection vulnerability (CWE-95) exists in Typecho v1.3.0 and earlier. The GetText internationalization module uses PHP's `eval()` to dynamically execute Plural-Forms expressions extracted from MO translation files without any sanitization.
**CVSS 3.1**: 7.2 HIGH โ `AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H`
## Affected Code
- **File**: `var/Typecho/I18n/GetText.php`
- **Function**: `selectString()` (line 371) โ `eval("$string")`
- **Function**: `getPluralForms()` (line 396) โ regex extraction without filtering
## Quick Start
### Verification (PHP)
```bash
php verify_eval_injection.php
```
### Build malicious MO file
```bash
python3 build_malicious_mo.py
```
## Vulnerability Chain
```
_n() โ I18n::ngettext() โ GetTextMulti::ngettext()
โ GetText::ngettext() โ selectString()
โ getPluralForms() [extracts Plural-Forms header from MO file]
โ str_replace() [variable substitution]
โ eval("$string") [ATTACKER CODE EXECUTED]
```
## Remediation
Replace `eval()` with a safe expression parser or apply strict whitelist validation on the Plural-Forms expression.
## Disclosure Timeline
| Date | Event |
|------|-------|
| 2026-05-28 | Vulnerability discovered |
| 2026-05-28 | PoC verified |
| TBD | CVE assigned |
| TBD | Vendor notified |
## License
This repository is for security research purposes only.