cbcvebase.
CVE-2013-10070
published 2025-08-05

CVE-2013-10070: PHP-Charts v1.0 contains a PHP code execution vulnerability in wizard/url.php, where user-supplied GET parameter names are passed directly to eval() without…

PriorityP274critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.39%
69.0th percentile
PHP-Charts v1.0 contains a PHP code execution vulnerability in wizard/url.php, where user-supplied GET parameter names are passed directly to eval() without sanitization. A remote attacker can exploit this flaw by crafting a request that injects arbitrary PHP code, resulting in command execution under the web server's context. The vulnerability allows unauthenticated attackers to execute system-level commands via base64-encoded payloads embedded in parameter names, leading to full compromise of the host system.

Affected

1 ranges
VendorProductVersion rangeFixed in
php-chartsphp-charts

Detection & IOCsextracted from sources · hover to see the quote

pathwizard/url.php
path/wizard/url.php
  • Monitor HTTP GET requests to wizard/url.php where parameter names contain base64-encoded or otherwise obfuscated PHP code payloads, as the vulnerability passes GET parameter names directly to eval().
  • Alert on requests to wizard/url.php containing base64-encoded strings in GET parameter names, as attackers embed arbitrary PHP code via base64-encoded payloads in parameter names to achieve unauthenticated RCE.
  • Exploit attempts targeting this CVE can be identified via the Metasploit module path exploits/unix/webapp/php_charts_exec, which can appear in attacker tooling or logs.
  • ·The vulnerability is unauthenticated — no credentials or session are required to exploit it, meaning any network-accessible instance of PHP-Charts v1.0 is at risk without additional access controls.
  • ·Code execution occurs under the web server user's context, so the impact scope depends on the privileges of the web server process on the host.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.