CVE-2019-7720
Description
taocms through 2014-05-24 allows eval injection by placing PHP code in the install.php db_name parameter and then making a config.php request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An eval injection in taocms allows attackers to execute arbitrary PHP code via the db_name parameter during installation.
Vulnerability
In taocms through 2014-05-24, the installation script install.php fails to sanitize the db_name parameter, allowing injection of arbitrary PHP code. The code is written into config.php via file_put_contents, and subsequent requests to config.php execute the injected code [1].
Exploitation
An attacker must have network access to the taocms installation page. By sending a POST request to install.php with a crafted db_name parameter containing PHP code (e.g., ');assert($_REQUEST['cmd']);//), the code is embedded into config.php. Then, accessing config.php with a cmd parameter triggers execution [1].
Impact
Successful exploitation allows arbitrary PHP code execution, potentially leading to full web server compromise, including web shell acquisition and data exfiltration [1].
Mitigation
No official fix has been released for this vulnerability. Users should avoid using taocms versions through 2014-05-24 and consider migrating to an alternative CMS. The vendor repository is inactive, and no patch is available [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- github.com/taogogo/taocms/issues/1mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.