CVE-2022-47129 – PHPOK v6.3 contains a remote code execution vul... (How to Fix)

📋 TL;DR

PHPOK v6.3 contains a remote code execution vulnerability (CWE-94: Improper Control of Generation of Code) that allows attackers to execute arbitrary code on affected systems. This affects all installations running PHPOK v6.3. The high CVSS score of 9.8 indicates critical severity with low attack complexity.

💻 Affected Systems

Products:

PHPOK

Versions: v6.3

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: All PHPOK v6.3 installations are vulnerable regardless of configuration.

📦 What is this software?

Phpok by Phpok

View all CVEs affecting Phpok →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install malware, steal data, pivot to other systems, or establish persistent backdoors.

🟠

Likely Case

Attackers gain shell access to the web server, allowing them to deface websites, install cryptocurrency miners, or exfiltrate sensitive data.

🟢

If Mitigated

Limited impact with proper network segmentation, WAF rules, and minimal privileges, potentially containing the attack to the web server only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept exists in the provided GitHub gist. The vulnerability appears to be in template parsing functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

1. Check for official patch from PHPOK developers
2. If no patch available, upgrade to a newer version if compatible
3. Consider migrating to alternative CMS if PHPOK is no longer maintained

🔧 Temporary Workarounds

WAF Rule Implementation

all

Implement web application firewall rules to block suspicious template parsing requests

Disable Template Editing

all

Restrict access to template editing functionality if not required

🧯 If You Can't Patch

Isolate the PHPOK instance in a separate network segment with strict egress filtering
Implement application-level monitoring and alerting for suspicious file operations or command execution

🔍 How to Verify

Check if Vulnerable:

Check PHPOK version in admin panel or by examining source files. If version is 6.3, system is vulnerable.

Check Version:

Check PHPOK configuration files or admin panel for version information

Verify Fix Applied:

Verify version has been updated beyond 6.3 or that template parsing functionality has been secured.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to template-related endpoints
Unexpected file creation in web directories
Suspicious PHP execution patterns

Network Indicators:

Outbound connections from web server to unknown IPs
Unusual traffic patterns from web server

SIEM Query:

source="web_logs" AND (uri="*template*" OR uri="*phpok*" OR method="POST") AND status="200" AND size>10000

📊 Metadata

CVE ID: CVE-2022-47129

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: May 11, 2023

Last Updated: January 27, 2025

🔗 References

https://gist.github.com/Omoredream/43f60004665e9d9d8c71f7e976261387 Third Party Advisory
https://www.yuque.com/g/alipayyz9csdbcdz/zytgq2/vz8ktghkcgvhsdzn/collaborator/join?token=R5phxzuV3w99ndZD Permissions Required
https://gist.github.com/Omoredream/43f60004665e9d9d8c71f7e976261387 Third Party Advisory
https://www.yuque.com/g/alipayyz9csdbcdz/zytgq2/vz8ktghkcgvhsdzn/collaborator/join?token=R5phxzuV3w99ndZD Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-47129, you might also want to check these: