Back to KEVs

CVE-2018-11686

The Publish Service in FlexPaper (later renamed FlowPaper) 2.3.6 allows remote code execution via setup.php and change_config.php.

Basic Information

CVE State
PUBLISHED
Reserved Date
June 03, 2018
Published Date
July 03, 2019
Last Updated
August 05, 2024
Vendor
FlowPaper
Product
FlowPaper
Description
The Publish Service in FlexPaper (later renamed FlowPaper) 2.3.6 allows remote code execution via setup.php and change_config.php.
Tags
php

CVSS Scores

CVSS v3.0

9.8 - CRITICAL

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Score

Score
83.57% (Percentile: 99.22%) as of 2025-06-05

Exploit Status

Exploited in the Wild
Yes (2025-05-08 00:00:00 UTC) Source

References

https://flowpaper.com/blog/ https://redtimmysec.wordpress.com/2019/03/07/flexpaper-remote-code-execution

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-05-08 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

mpgn/CVE-2018-11686

Type: github • Created: 2019-03-20 19:36:10 UTC • Stars: 6

CVE-2018-11686 - FlexPaper PHP Publish Service RCE <= 2.3.6

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel