Unauthenticated PHP code injection enables MetInfo CMS RCE

TL;DR - MetInfo CMS 7.9–8.1: unauth PHP code injection via the Weixin/WeChat dispatch handler. EventKey and FromUserName from the XML body land in cache::get()/cache::put() unsanitized; path-traversed $code writes attacker PHP into /cache/weixin/Array.php. Public PoC. CVSS 9.3. No vendor patch.

What happened

MetInfo CMS is a PHP-based content management system.

CVE-2026-29014: critical unauth PHP code injection enabling RCE in MetInfo 7.9 through 8.1. Crafted requests carrying malicious PHP, insufficient input neutralization in the execution path, full server compromise.

Karma(In)Security's writeup gives the chain: weixinreply::wxAdminLogin() in /app/system/weixin/include/class/weixinreply.class.php. Attacker-controlled EventKey and FromUserName (XML tags from the Weixin/WeChat dispatch HTTP body) reach cache::get() / cache::put() unsanitized. Path traversal in $code controls cache file inclusion; eventually forces a write into /cache/weixin/Array.php and triggers PHP injection via curly syntax.

Severity CVSS v4.0 9.3 / v3.1 9.8. Unauth RCE in a CMS is a high-signal internet-exploitation pattern - these are publicly exposed, often run with filesystem privileges sufficient for persistence.

Who is impacted

• Sites running MetInfo CMS versions 7.9.0 through 8.1.0 (inclusive), per the CVE record.
• Highest practical risk where the exposed Weixin/WeChat integration request path is reachable from untrusted networks.
• The researcher notes an additional prerequisite on non-Windows systems: successful exploitation requires the /cache/weixin/ directory to exist (created when installing/configuring the official WeChat plugin).

What to do now

• Treat this as an internet-facing emergency if your MetInfo instances are publicly reachable. Immediately inventory exposed MetInfo deployments (hostnames, containers, images) and confirm whether they fall in the affected range.
• If you operate the Weixin/WeChat integration, review the researcher’s solution status statement and plan compensating controls accordingly:

  • "No official solution is currently available."

• Reduce reachable attack surface while awaiting a vendor fix:
  • Restrict network access to the Weixin endpoint path used by the PoC (researcher PoC targets app/system/entrance.php?n=include&m=module&c=weixin&a=doapi) to trusted sources only, or disable the integration if not required.
  • Apply layered filtering (reverse proxy/WAF) to block unexpected request patterns into the Weixin handler until you can validate a vendor remediation path.
• Assume potential compromise if an affected instance was exposed:
  • Review web server and application logs for anomalous POST bodies targeting the Weixin handler and for evidence of command execution behavior.
  • Rotate secrets accessible to the CMS runtime (database credentials, API keys) and validate filesystem integrity under the web root and cache directories.