Arbitrary Code Execution via Crafted Order Parameter in PmWiki PageListSort Function

Arbitrary Code Execution via Crafted Order Parameter in PmWiki PageListSort Function

CVE-2011-4453 · HIGH Severity

AV:N/AC:L/AU:N/C:P/I:P/A:P

The PageListSort function in scripts/pagelist.php in PmWiki 2.x before 2.2.35 allows remote attackers to execute arbitrary code via PHP sequences in a crafted order parameter in a pagelist directive, leading to unintended use of the PHP create_function function.

Learn more about our Web Application Penetration Testing UK.