QwikSec

Security Database

CVE

CWE

Training

CVE-2014-125116

Published: Jul 25, 2025

Modified: Apr 7, 2026

PUBLISHED

Description

A remote code execution vulnerability exists in HybridAuth versions 2.0.9 through 2.2.2 due to insecure use of the install.php installation script. The script remains accessible after deployment and fails to sanitize input before writing to the application’s config.php file. An unauthenticated attacker can inject arbitrary PHP code into config.php, which is later executed when the file is loaded. This allows attackers to achieve remote code execution on the server. Exploitation of this issue will overwrite the existing configuration, rendering the application non-functional.

Vendor	Product	Versions
HybridAuth	HybridAuth	affected `2.0.9 - <= 2.2.2`

Weaknesses (CWE)

References

https://www.exploit-db.com/exploits/34390

exploit

https://www.exploit-db.com/exploits/34273

exploit

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/hybridauth_install_php_exec.rb

exploit

https://vulners.com/metasploit/MSF:EXPLOIT-UNIX-WEBAPP-HYBRIDAUTH_INSTALL_PHP_EXEC-

third-party-advisory

https://hybridauth.github.io/

product

https://www.vulncheck.com/advisories/hybridauth-unauth-rce-via-config-injection

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.