[KIS-2026-06] MetInfo CMS <= 8.1 (weixinreply.class.php) PHP Code Injection Vulnerability

[Egidio Romano <n0b0d13s () gmail com>]

---------------------------------------------------------------------------
MetInfo CMS <= 8.1 (weixinreply.class.php) PHP Code Injection Vulnerability
---------------------------------------------------------------------------


[-] Software Link:

https://www.metinfo.cn


[-] Affected Versions:

Versions 7.9, 8.0, and 8.1.


[-] Vulnerability Description:

The vulnerable code is located into the
/app/system/weixin/include/class/weixinreply.class.php script.

Specifically, within the weixinreply::wxAdminLogin() method:

149.     public function wxAdminLogin($data = array(),$code = '')
150.     {
151.         global $_M;
152.         $weixinapi = load::mod_class('weixin/weixinapi','new');
153.         $login_code = cache::get("weixin/".$code);
154.          if ($login_code) {
155.             cache::put("weixin/".$login_code,$data['FromUserName']);
156.          }
157.         return;
158.     }

User input passed through the "EventKey" and "FromUserName" XML tags
from the HTTP request body when dispatching weixin API requests is not
properly sanitized before being used in a call to the cache::get() and
cache::put() methods respectively.

Specifically, the $code parameter may include Path Traversal
sequences, making the cache::get() method into including arbitrary PHP
files. This can be abused to set the $login_code variable to the
"Array" string by including an arbitrary cache file. Subsequently, the
cache::put() method will write the "FromUserName" parameter into the
/cache/weixin/Array.php file, embedding it within double quotes:

30.     public static function put($file, $data, $type = 'php')
31.     {
32.         global $_M;
33.
34.         load::sys_func('file');
35.         $save = PATH_CACHE . $file . '.' . $type;
36.         makefile($save);
37.         #$data = str_replace(array("\"", "\\"), array("\\\"",
"\\\\"), $data);
38.         if (!is_array($data)) {
39.             file_put_contents($save, "<?php\ndefined('IN_MET') or
exit('No permission');\n\$cache=\"{$data}\";\n?>");
40.         } else {
41.             $info = var_export($data, true);
42.             $info = "<?php\ndefined('IN_MET') or exit('No
permission');\n\$cache = {$info};\n?>";
43.             file_put_contents($save, $info);
44.         }
45.     }

This can be exploited by remote, unauthenticated attackers to inject
and execute arbitrary PHP code by abusing PHP's complex curly syntax,
leading to unauthenticated Remote Code Execution (RCE).

NOTE: when MetInfo is running on non-Windows servers, successful
exploitation of this vulnerability requires the /cache/weixin/
directory to exist, which is created when installing and configuring
the official WeChat plugin.


[-] Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2026-29014.php


[-] Solution:

No official solution is currently available.


[-] Disclosure Timeline:

[26/02/2026] - Vendor contacted through several @metinfo.cn and
@mituo.cn email addresses, no response

[07/03/2026] - Tried to reach out to the vendor again, no response

[28/03/2026] - Tried to reach out to the vendor once again, no response

[29/03/2026] - Tried to reach out to the vendor through Weibo, no response

[30/03/2026] - CVE identifier requested

[31/03/2026] - CVE identifier assigned

[01/04/2026] - Public disclosure


[-] CVE Reference:

CVE-2026-29014 has been assigned to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

https://karmainsecurity.com/KIS-2026-06
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/