Home

Description

WeBid 1.0.2 contains a remote code injection vulnerability in the converter.php script, where unsanitized input in the to parameter of a POST request is written directly into includes/currencies.php. This allows unauthenticated attackers to inject arbitrary PHP code, resulting in persistent remote code execution when the modified script is accessed or included by the application.

PUBLISHED Reserved 2025-08-11 | Published 2025-08-13 | Updated 2025-08-14 | Assigner VulnCheck




CRITICAL: 10.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-94 Improper Control of Generation of Code ('Code Injection')

Product status

Default status
unknown

*
affected

Credits

EgiX finder

References

raw.githubusercontent.com/...s/linux/http/webid_converter.rb exploit

www.exploit-db.com/exploits/17487 exploit

www.exploit-db.com/exploits/18934 exploit

web.archive.org/...bidsupport.com/forums/showthread.php?3892 vendor-advisory patch

sourceforge.net/projects/simpleauction/ product

www.vulncheck.com/advisories/webid-remote-php-code-injection third-party-advisory

cve.org (CVE-2011-10011)

nvd.nist.gov (CVE-2011-10011)

Download JSON