CVE-2019-25687

CriticalPublic PoC

Published: 05 April 2026

Published

05 April 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0106 77.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Pegasus CMS 1.0 contains a remote code execution vulnerability in the extra_fields.php plugin that allows unauthenticated attackers to execute arbitrary commands by exploiting unsafe eval functionality. Attackers can send POST requests to the submit.php endpoint with malicious PHP code in…

the action parameter to achieve code execution and obtain an interactive shell.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires identifying, reporting, and correcting flaws like the unsafe eval in extra_fields.php, directly remediating the RCE vulnerability.

SI-10 Information Input Validation good match

prevent

SI-10 mandates validating inputs such as the malicious 'action' parameter to block arbitrary PHP code execution via eval.

CM-7 Least Functionality good match

prevent

CM-7 enforces least functionality by prohibiting or restricting the vulnerable extra_fields.php plugin, eliminating the attack surface.

Security SummaryAI

CVE-2019-25687 is a remote code execution vulnerability affecting Pegasus CMS version 1.0, specifically in the extra_fields.php plugin. The flaw stems from unsafe eval functionality, enabling unauthenticated attackers to execute arbitrary commands. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-22.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By sending POST requests to the submit.php endpoint with malicious PHP code in the action parameter, attackers achieve remote code execution and can obtain an interactive shell, granting high confidentiality, integrity, and availability impacts.

Advisories and references, including an Exploit-DB entry at https://www.exploit-db.com/exploits/46542, a VulnCheck advisory at https://www.vulncheck.com/advisories/pegasus-cms-remote-code-execution-via-extra-fields-php, and vendor information at https://www.wisdom.com.au/web/pegasus-cms, provide details on the issue, though specific patch or mitigation guidance is not detailed in the CVE description. Security practitioners should review these for remediation steps, such as upgrading the CMS or disabling the affected plugin.

Details

CWE(s): CWE-22

Affected Products

wisdom

pegasus cms

1.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2019-25687 enables unauthenticated remote code execution via unsafe eval in a public-facing web application (Pegasus CMS), directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.exploit-db.com/exploits/46542
Exploit, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/pegasus-cms-remote-code-execution-via-extra-fields-php
Third Party Advisory · disclosure@vulncheck.com
https://www.wisdom.com.au/web/pegasus-cms
Product · disclosure@vulncheck.com