| Title | maxsite CMS CMS 109.1 Code Injection |
|---|
| Description | Executive Summary
An unauthenticated Remote Code Execution (RCE) path exists when the `run_php` plugin is enabled.
Attacker-controlled input sent to the MarkItUp preview AJAX endpoint is passed through content hooks and reaches `eval()` in `run_php`, enabling execution of arbitrary PHP code on the server.
Affected Components and Scope
- Component: MarkItUp preview AJAX handler
- application/maxsite/admin/plugins/editor_markitup/preview-ajax.php
- Component: `run_php` plugin execution hook
- application/maxsite/plugins/run_php/index.php
Technical Root Cause
The preview endpoint accepts user input (`data`) and applies content hooks without authentication checks:
- application/maxsite/admin/plugins/editor_markitup/preview-ajax.php:4
- application/maxsite/admin/plugins/editor_markitup/preview-ajax.php:13
- application/maxsite/admin/plugins/editor_markitup/preview-ajax.php:17
`run_php` registers to content hooks and evaluates user-controlled content inside `[php]...[/php]` tags:
- Hook registration:
- application/maxsite/plugins/run_php/index.php:11
- Dangerous sink:
- application/maxsite/plugins/run_php/index.php:22
Reachability and Exploit Preconditions
Preconditions:
1. `run_php` plugin is enabled.
2. Attacker can send POST requests to the preview AJAX endpoint.
Path:
1. Attacker submits crafted `data` to preview endpoint.
2. Endpoint passes content through `content_content` hook.
3. `run_php` callback processes `[php]...[/php]`.
4. Callback executes payload with `eval()`.
Proof of Concept (Safe Payload)
`$PREVIEW` is a shell variable holding the Base64 path to the internal ajax file target.
Generate endpoint token:
PREVIEW=$(php -r "echo base64_encode('admin/plugins/editor_markitup/preview-ajax.php');")
Send safe test payload:
curl -i -X POST "$BASE/ajax/$PREVIEW" \
--data-urlencode "data=[php]echo 'RCE_OK';[/php]"
Endpoint format:
- POST $BASE/ajax/$PREVIEW`
Expected Vulnerable Response
If vulnerable, response body includes:
- RCE_OK
This demonstrates server-side PHP execution of attacker-supplied content.
Security Impact
Successful exploitation can lead to:
1. Arbitrary server-side code execution under web server/PHP process privileges.
2. Full CMS compromise (content, accounts, configuration, DB access via app context).
3. Potential persistence or lateral movement depending on host hardening.
Risk Rating (CVSS Proposal)
Recommended CVSS v3.1 vector (under listed preconditions):
`AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
Suggested score: 9.8 (Critical).
Remediation Guidance
1. Enforce authentication and authorization on preview endpoint.
2. Remove `eval()`-based execution from `run_php` (or disable plugin by default).
3. Block/strip executable shortcode tags (`[php]`, `[php_in]`) in untrusted contexts.
4. Add explicit allowlist processing for preview rendering (no executable transforms).
5. Add CSRF protection and endpoint hardening for AJAX routes. |
|---|
| User | mrsolo404 (UID 95656) |
|---|
| Submission | 02/18/2026 20:34 (2 months ago) |
|---|
| Moderation | 02/28/2026 18:15 (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 348281 [MaxSite CMS up to 109.1 MarkItUp Preview AJAX Endpoint preview-ajax.php eval code injection] |
|---|
| Points | 17 |
|---|