CVE-2013-10051
Published: 01 August 2025
Summary
CVE-2013-10051 is a critical-severity Eval Injection (CWE-95) vulnerability in Instantcms Instantcms. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents remote PHP code execution by requiring validation of user-supplied input in the look parameter before concatenation into eval().
Requires timely flaw remediation, such as patching or upgrading InstantCMS to eliminate the unsafe eval() usage in the search handler.
Boundary protection via web application firewalls can block crafted HTTP GET requests with malicious base64-encoded payloads targeting the Cmd header.
NVD Description
A remote PHP code execution vulnerability exists in InstantCMS version 1.6 and earlier due to unsafe use of eval() within the search view handler. Specifically, user-supplied input passed via the look parameter is concatenated into a PHP expression and executed…
more
without proper sanitation. A remote attacker can exploit this flaw by sending a crafted HTTP GET request with a base64-encoded payload in the Cmd header, resulting in arbitrary PHP code execution within the context of the web server.
Deeper analysisAI
CVE-2013-10051 is a remote PHP code execution vulnerability affecting InstantCMS version 1.6 and earlier. The flaw stems from the unsafe use of the eval() function within the search view handler, where user-supplied input passed via the look parameter is directly concatenated into a PHP expression and executed without proper sanitization. This CWE-95 issue earned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to the potential for complete compromise.
A remote attacker can exploit this vulnerability by sending a crafted HTTP GET request containing a base64-encoded payload in the Cmd header. No privileges, user interaction, or special access are required, allowing unauthenticated attackers to achieve arbitrary PHP code execution within the context of the web server process. Successful exploitation grants full control over the server, enabling data theft, persistence, or further lateral movement.
Public references, including advisories from Vulncheck and proof-of-concept exploits on Exploit-DB (ID 26622) and PacketStorm, detail the vulnerability but do not specify official patches or mitigations in the provided information. A Metasploit module (unix/webapp/instantcms_exec.rb) exists for automated exploitation, underscoring the need for immediate upgrades or removal of affected InstantCMS installations.
Details
- CWE(s)