egix@karmainsecurity ~ $

MetInfo CMS <= 8.1 (weixinreply.class.php) PHP Code Injection Vulnerability

• Software Link:

https://www.metinfo.cn

• Affected Versions:

Versions 7.9, 8.0, and 8.1.

• Vulnerability Description:

The vulnerable code is located into the /app/system/weixin/include/class/weixinreply.class.php script.

Specifically, within the weixinreply::wxAdminLogin() method:

149    public function wxAdminLogin($data = array(),$code = '')
150    {
151        global $_M;
152        $weixinapi = load::mod_class('weixin/weixinapi','new');
153        $login_code = cache::get("weixin/".$code);
154         if ($login_code) {
155            cache::put("weixin/".$login_code,$data['FromUserName']);
156         }
157        return;
158    }

User input passed through the EventKey and FromUserName XML tags from the HTTP request body when dispatching weixin API requests is not properly sanitized before being used in a call to the cache::get() and cache::put() methods respectively.

Specifically, the $code parameter may include Path Traversal sequences, making the cache::get() method into including arbitrary PHP files. This can be abused to set the $login_code variable to the “Array” string by including an arbitrary cache file. Subsequently, the cache::put() method will write the FromUserName parameter into the /cache/weixin/Array.php file, embedding it within double quotes:

30    public static function put($file, $data, $type = 'php')
31    {
32        global $_M;
33
34        load::sys_func('file');
35        $save = PATH_CACHE . $file . '.' . $type;
36        makefile($save);
37        #$data = str_replace(array("\"", "\\"), array("\\\"", "\\\\"), $data);
38        if (!is_array($data)) {
39            file_put_contents($save, "<?php\ndefined('IN_MET') or exit('No permission');\n\$cache=\"{$data}\";\n?>");
40        } else {
41            $info = var_export($data, true);
42            $info = "<?php\ndefined('IN_MET') or exit('No permission');\n\$cache = {$info};\n?>";
43            file_put_contents($save, $info);
44        }
45    }

This can be exploited by remote, unauthenticated attackers to inject and execute arbitrary PHP code by abusing PHP’s complex curly syntax, leading to unauthenticated Remote Code Execution (RCE).

NOTE: when MetInfo is running on non-Windows servers, successful exploitation of this vulnerability requires the /cache/weixin/ directory to exist, which is created when installing and configuring the official WeChat plugin.

• Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2026-29014.php

• Solution:

No official solution is currently available.

• Disclosure Timeline:

[26/02/2026] – Vendor contacted through several @metinfo.cn and @mituo.cn email addresses, no response

[07/03/2026] – Tried to reach out to the vendor again, no response

[28/03/2026] – Tried to reach out to the vendor once again, no response

[29/03/2026] – Tried to reach out to the vendor through Weibo, no response

[30/03/2026] – CVE identifier requested

[31/03/2026] – CVE identifier assigned

[01/04/2026] – Public disclosure

• CVE Reference:

CVE-2026-29014 has been assigned to this vulnerability.

• Credits:

Vulnerability discovered by Egidio Romano.