VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 14, 2019· Updated Aug 4, 2024

CVE-2019-9761

CVE-2019-9761

Description

An XXE issue was discovered in PHPSHE 1.7, which can be used to read any file in the system or scan the internal network without authentication. This occurs because of the call to wechat_getxml in include/plugin/payment/wechat/notify_url.php.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

PHPSHE 1.7 contains an unauthenticated XXE vulnerability in the WeChat payment callback, allowing arbitrary file reads and internal network scans.

Vulnerability

PHPSHE version 1.7 is vulnerable to an XML External Entity (XXE) injection in the wechat_getxml function located in include/plugin/payment/wechat/notify_url.php. The application does not disable external entity processing when parsing XML data from the WeChat payment notification. This issue is documented in the advisory [1].

Exploitation

An attacker can exploit this vulnerability without authentication by sending a crafted XML payload to the WeChat payment notify endpoint. The payload includes an external entity that references either a local file (e.g., file:///etc/passwd) or an internal network resource (e.g., via HTTP to an internal IP). The server processes the entity and returns the contents in the response, enabling data exfiltration or internal network scanning.

Impact

Successful exploitation allows an unauthenticated attacker to read arbitrary files on the server’s filesystem and perform port scanning or service detection against internal network hosts. This compromises confidentiality and can aid in further attacks against the internal network.

Mitigation

As of the available references [1], no official patch or fixed version has been released for PHPSHE 1.7. Users should disable XML external entity processing in the affected code or restrict network access to the notification endpoint until a patch is applied.

References
  1. Two vulnerabiliyies without authentication · Issue #ITC0C · koyshe/phpshe - Gitee

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • phpshe/Phpsheinferred2 versions
    = 1.7+ 1 more
    • (no CPE)range: = 1.7
    • (no CPE)range: =1.7

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.