CVE-2021-36424 – This critical vulnerability in phpwcms allows r... (How to Fix)

Q: What is the severity of CVE-2021-36424?

CVE-2021-36424 has a CVSS score of 9.8 (CRITICAL). This critical vulnerability in phpwcms allows remote attackers to execute arbitrary code during the installation process by manipulating the database user field. It affects all systems running phpwcms 1.9.25 that are either being installed or reinstalled. Attackers can gain complete control of affected systems without authentication.

📋 TL;DR

This critical vulnerability in phpwcms allows remote attackers to execute arbitrary code during the installation process by manipulating the database user field. It affects all systems running phpwcms 1.9.25 that are either being installed or reinstalled. Attackers can gain complete control of affected systems without authentication.

💻 Affected Systems

Products:

phpwcms

Versions: 1.9.25

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable during installation process when setting up database credentials. Once installation is complete, the vulnerability is no longer accessible unless reinstalling.

📦 What is this software?

Phpwcms by Phpwcms

View all CVEs affecting Phpwcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution leading to data theft, ransomware deployment, or creation of persistent backdoors.

🟠

Likely Case

Web server compromise leading to website defacement, data exfiltration, or use as a foothold for lateral movement within the network.

🟢

If Mitigated

Limited impact if installation is already complete and system is properly hardened with input validation and least privilege.

🌐 Internet-Facing: HIGH - Exploitation requires no authentication and can be performed remotely during installation.

🏢 Internal Only: MEDIUM - Lower risk if installation is complete, but still vulnerable during reinstallation or maintenance.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward - attackers can inject malicious code into the database user field during installation setup.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.26

Vendor Advisory: https://github.com/slackero/phpwcms/issues/310

Restart Required: No

Instructions:

1. Upgrade phpwcms to version 1.9.26 or later. 2. If already installed, ensure no reinstallation is performed with vulnerable version. 3. Verify installation files are from trusted source.

🔧 Temporary Workarounds

Input Validation During Installation

all

Manually validate database user field input during installation to prevent code injection

Isolate Installation Environment

all

Perform installation in isolated network segment with restricted internet access

🧯 If You Can't Patch

Ensure installation is complete and never reinstall with vulnerable version
Implement network segmentation to isolate phpwcms installation environment

🔍 How to Verify

Check if Vulnerable:

Check phpwcms version in admin panel or look for version 1.9.25 in source files

Check Version:

Check includes/inc_tool/global.inc.php or admin interface for version number

Verify Fix Applied:

Verify phpwcms version is 1.9.26 or later and installation process is complete

📡 Detection & Monitoring

Log Indicators:

Unusual database connection attempts during installation
Unexpected PHP code execution in installation logs

Network Indicators:

HTTP requests to installation scripts with suspicious parameters
Outbound connections from installation process

SIEM Query:

source="phpwcms" AND ("install" OR "setup") AND ("db_user" OR "database") AND suspicious_patterns

📊 Metadata

CVE ID: CVE-2021-36424

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: February 3, 2023

Last Updated: March 26, 2025

🔗 References

https://github.com/slackero/phpwcms/issues/310 Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/slackero/phpwcms/issues/310 Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36424, you might also want to check these: