CVE-2010-1266 in WebMaid CMS
Summary
by MITRE
Multiple PHP remote file inclusion vulnerabilities in WebMaid CMS 0.2-6 Beta and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) template, (2) menu, (3) events, and (4) SITEROOT parameters to template/babyweb/index.php; the (5) modules and (6) copyright parameters to template/calm/footer.php; the (7) menu parameter to template/calm/top.php; and the (8) modules, (9) copyright, and (10) menu parameters to template/wm025/footer.php.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/10/2025
The vulnerability described in CVE-2010-1266 represents a critical remote file inclusion flaw affecting WebMaid CMS versions 0.2-6 Beta and earlier. This vulnerability stems from improper input validation and sanitization within multiple PHP scripts that handle user-supplied parameters. The affected files include template/babyweb/index.php, template/calm/footer.php, template/calm/top.php, and template/wm025/footer.php, all of which accept URL parameters that are directly incorporated into file inclusion directives without adequate security checks. This creates a pathway for remote attackers to inject malicious URLs that can be executed as PHP code on the target server, fundamentally compromising the application's security posture.
The technical exploitation of this vulnerability occurs through the manipulation of specific parameter names across different template files. Attackers can leverage the template, menu, events, and SITEROOT parameters in the babyweb/index.php file to reference external malicious scripts. Similarly, the modules and copyright parameters in calm/footer.php, the menu parameter in calm/top.php, and multiple parameters including modules, copyright, and menu in wm025/footer.php can all be exploited to achieve remote code execution. These parameters are typically used for dynamic content inclusion within the CMS templates, but the lack of proper validation allows attackers to substitute legitimate template paths with malicious URLs, enabling arbitrary code execution.
The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with complete control over the affected web server. Once exploited, attackers can upload additional malicious files, establish persistent backdoors, modify existing content, or even use the compromised server for further attacks against other systems. The vulnerability affects the core functionality of the CMS by allowing attackers to bypass authentication mechanisms and directly manipulate the application's behavior through the template system. This creates a significant risk for organizations using vulnerable WebMaid installations, as the compromise can lead to data theft, service disruption, and potential lateral movement within network environments.
Security mitigation strategies for this vulnerability require immediate patching of the affected WebMaid CMS versions, as no effective workarounds exist for the underlying code flaws. Organizations should implement proper input validation and sanitization measures to prevent URL parameter injection, particularly in files that handle dynamic template inclusion. The vulnerability aligns with CWE-88, which describes improper neutralization of special elements used in an OS command, and CWE-94, which addresses improper control of generation of code. From an ATT&CK framework perspective, this vulnerability maps to T1190, exploiting vulnerabilities in remote services, and T1059, command and scripting interpreter, as attackers can execute arbitrary commands through the compromised PHP scripts. Network segmentation and web application firewalls should be deployed to monitor for suspicious URL patterns, while regular security audits should verify that all CMS components are updated to secure versions.