{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2018-25270","assignerOrgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","state":"PUBLISHED","assignerShortName":"VulnCheck","dateReserved":"2026-04-22T14:32:40.667Z","datePublished":"2026-04-22T14:57:03.961Z","dateUpdated":"2026-04-22T15:59:29.873Z"},"containers":{"cna":{"providerMetadata":{"orgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","shortName":"VulnCheck","dateUpdated":"2026-04-22T14:57:03.961Z"},"datePublic":"2018-12-11T00:00:00.000Z","title":"ThinkPHP 5.0.23 Remote Code Execution via invokefunction","descriptions":[{"lang":"en","value":"ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges."}],"problemTypes":[{"descriptions":[{"lang":"en","description":"Authorization Bypass Through User-Controlled Key","cweId":"CWE-639","type":"CWE"}]}],"affected":[{"vendor":"Thinkphp","product":"ThinkPHP","versions":[{"version":"5.0.23","status":"affected"},{"version":"5.1.31","status":"affected"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:thinkphp:thinkphp:5.1.31:*:*:*:*:*:*:*"},{"vulnerable":true,"criteria":"cpe:2.3:a:thinkphp:thinkphp:5.0.23:*:*:*:*:*:*:*"},{"vulnerable":true,"criteria":"cpe:2.3:a:thinkphp:thinkphp:6.1.3:*:*:*:*:*:*:*"},{"vulnerable":true,"criteria":"cpe:2.3:a:thinkphp:thinkphp:8.0.4:*:*:*:*:*:*:*"},{"vulnerable":true,"criteria":"cpe:2.3:a:thinkphp:thinkphp:8.0.3:*:*:*:*:*:*:*"},{"vulnerable":true,"criteria":"cpe:2.3:a:thinkphp:thinkphp:8.0.2:*:*:*:*:*:*:*"},{"vulnerable":true,"criteria":"cpe:2.3:a:thinkphp:thinkphp:8.0.1:*:*:*:*:*:*:*"},{"vulnerable":true,"criteria":"cpe:2.3:a:thinkphp:thinkphp:8.0.0:*:*:*:*:*:*:*"},{"vulnerable":true,"criteria":"cpe:2.3:a:thinkphp:thinkphp:8.0.0:beta:*:*:*:*:*:*"},{"vulnerable":true,"criteria":"cpe:2.3:a:thinkphp:thinkphp:6.1.5:*:*:*:*:*:*:*"},{"vulnerable":true,"criteria":"cpe:2.3:a:thinkphp:thinkphp:6.1.4:*:*:*:*:*:*:*"},{"vulnerable":true,"criteria":"cpe:2.3:a:thinkphp:thinkphp:6.0.16:*:*:*:*:*:*:*"},{"vulnerable":true,"criteria":"cpe:2.3:a:thinkphp:thinkphp:6.0.15:*:*:*:*:*:*:*"}]}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":9.3,"baseSeverity":"CRITICAL","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS"},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"references":[{"url":"https://www.exploit-db.com/exploits/45978","name":"ExploitDB-45978","tags":["exploit"]},{"url":"https://thinkphp.cn","name":"Official Product Homepage","tags":["product"]},{"url":"https://github.com/top-think/framework/","name":"Product Reference","tags":["product"]},{"name":"VulnCheck Advisory: ThinkPHP 5.0.23 Remote Code Execution via invokefunction","tags":["third-party-advisory"],"url":"https://www.vulncheck.com/advisories/thinkphp-remote-code-execution-via-invokefunction"}],"credits":[{"lang":"en","value":"VulnSpy","type":"finder"}],"x_generator":{"engine":"vulncheck"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-04-22T15:57:46.876160Z","id":"CVE-2018-25270","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-22T15:59:29.873Z"}}]}}