cbcvebase.
CVE-2011-4825
published 2011-12-15

CVE-2011-4825: Static code injection vulnerability in inc/function.base.php in Ajax File and Image Manager before 1.1, as used in tinymce before 1.4.2, phpMyFAQ 2.6 before…

PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
40.91%
98.5th percentile
Static code injection vulnerability in inc/function.base.php in Ajax File and Image Manager before 1.1, as used in tinymce before 1.4.2, phpMyFAQ 2.6 before 2.6.19 and 2.7 before 2.7.1, and possibly other products, allows remote attackers to inject arbitrary PHP code into data.php via crafted parameters.

Affected

35 ranges· showing 25
VendorProductVersion rangeFixed in
phpletterajax_file_and_image_manager<= 1.0
phpletterajax_file_and_image_manager
phpletterajax_file_and_image_manager
phpletterajax_file_and_image_manager
phpletterajax_file_and_image_manager
phpletterajax_file_and_image_manager
phpletterajax_file_and_image_manager
phpletterajax_file_and_image_manager
phpletterajax_file_and_image_manager
phpletterajax_file_and_image_manager
phpletterajax_file_and_image_manager
phpletterajax_file_and_image_manager
phpletterajax_file_and_image_manager
phpletterajax_file_and_image_manager
phpmyfaqphpmyfaq
phpmyfaqphpmyfaq
phpmyfaqphpmyfaq
phpmyfaqphpmyfaq
phpmyfaqphpmyfaq
phpmyfaqphpmyfaq
phpmyfaqphpmyfaq
phpmyfaqphpmyfaq
phpmyfaqphpmyfaq
phpmyfaqphpmyfaq
phpmyfaqphpmyfaq

Detection & IOCsextracted from sources · hover to see the quote

path/ajaxfilemanager/ajax_create_folder.php
path/ajaxfilemanager/inc/function.base.php
path/ajaxfilemanager/inc/data.php
pathadmin/libraries/ajaxfilemanager/ajax_create_folder.php
pathadmin/libraries/ajaxfilemanager/inc/data.php
pathadmin/editor/plugins/ajaxfilemanager/ajax_create_folder.php
pathadmin/editor/plugins/ajaxfilemanager/inc/data.php
pathadmin/editor/plugins/ajaxfilemanager/ajax_login.php
pathmodul/tinymce/plugins/ajaxfilemanager/ajax_create_folder.php
pathmodul/tinymce/plugins/ajaxfilemanager/inc/data.php
pathzp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/ajax_create_folder.php
pathzp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/data.php
filenamedata.php
  • Detect POST requests to any path ending in 'ajax_create_folder.php' — this is the universal injection entry point across all affected products (log1 CMS, phpMyFAQ, aidiCMS, ZenPhoto).
  • Detect subsequent GET requests to 'inc/data.php' under any ajaxfilemanager path — this is the webshell execution step after successful injection.
  • Detect the custom 'Cmd' HTTP header in GET requests to data.php — exploit PoCs use this header to pass base64-encoded OS commands to the dropped webshell.
  • Match the regex pattern '/_code_(.*)/s' in HTTP responses from data.php — exploit PoCs use this delimiter to extract command output from the webshell.
  • ·The vulnerability is exploitable without authentication in some affected products (e.g., aidiCMS, ZenPhoto), but requires valid admin credentials in phpMyFAQ — authentication state affects detection logic.
  • ·The ajaxfilemanager component is embedded at different sub-paths depending on the host CMS (log1 CMS, phpMyFAQ, aidiCMS, ZenPhoto, tinymce) — detection rules must use wildcard path matching rather than fixed paths.
  • ·The Metasploit module targets log1 CMS 2.0 with a default TARGETURI of '/log1cms2.0/' — other deployments will use different base paths.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.