CVE-2026-29014 (a critical, unauthenticated PHP code injection flaw in MetInfo CMS — an open-source content management system widely deployed by Chinese businesses) carries a CVSS v3.1 score of 9.8, the highest severity tier, meaning the vulnerability is remotely exploitable with no authentication, no user interaction, and no special privileges required. Attackers actively exploiting it can execute arbitrary commands on the underlying server and take full control of the host. A patch was released on April 7, 2026; exploitation began April 25 and surged dramatically on May 1.
CVE-2026-29014: Technical Details
CVE-2026-29014 (a code injection vulnerability — a class of flaw where an attacker can insert executable instructions into a running application and have the server run them as its own code) exists in MetInfo CMS versions 7.9, 8.0, and 8.1. The vulnerability lives in the WeChat mini-program API handler, accessible at:
/app/system/entrance.php?n=include&m=module&c=weixin&a=doapi
MetInfo's WeChat integration endpoint (part of the officially supported WeChat plugin for connecting CMS sites to China's WeChat ecosystem) accepts HTTP requests intended to process WeChat API callbacks. Due to insufficient sanitization of user-supplied input, an attacker can craft an HTTP request that contains arbitrary PHP code. The CMS writes that input — unmodified — into a PHP cache file under /cache/weixin/ on the server's filesystem. On the next request, the CMS includes and executes that cache file, causing the injected PHP to run with the privileges of the web server process.
One important prerequisite applies on non-Windows servers: the /cache/weixin/ directory must exist on the target. This directory is created automatically when the WeChat plugin is installed and configured. Servers running MetInfo without the WeChat plugin installed but without the directory present are not directly exploitable via this vector. On Windows hosts, path-handling differences may allow exploitation regardless of directory state.
The NVD entry for CVE-2026-29014 lists the CVSS v3.1 vector as AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — which breaks down as: network-accessible attack surface, low attack complexity, no privileges required, no user interaction, with complete compromise of confidentiality, integrity, and availability. In plain terms: any attacker with a network path to the server can exploit this without logging in or tricking a user into doing anything.
MetInfo released a patched version on April 7, 2026. Despite this, a significant portion of internet-facing deployments had not applied the update when exploitation began.
Exploitation Status and Threat Landscape
Active exploitation of CVE-2026-29014 was first observed on April 25, 2026, when VulnCheck (a vulnerability intelligence firm) detected a small number of exploit attempts against honeypots — decoy servers designed to attract and log attack traffic — in the United States and Singapore. These initial attempts appeared opportunistic and low-volume, consistent with early-stage scanning campaigns that follow public disclosure.
The situation changed materially on May 1, 2026, when attack activity surged. The spike was concentrated on IP addresses originating from China and Hong Kong, suggesting a shift toward more targeted exploitation of the large MetInfo install base in those regions. As of this writing, no public proof-of-concept (PoC) exploit code — that is, a working demonstration of the attack technique published for anyone to use — has been confirmed, though the surge in honeypot hits implies that functional exploit tooling exists in the hands of active threat actors.
There is no current CISA KEV (Known Exploited Vulnerabilities) listing for CVE-2026-29014. The CISA KEV catalog (maintained by the U.S. Cybersecurity and Infrastructure Security Agency, it tracks vulnerabilities with confirmed active exploitation and mandates remediation timelines for federal agencies) has not yet designated this CVE, though the confirmed exploitation activity makes an eventual listing plausible if attacks expand beyond the Chinese market. No specific MITRE ATT&CK technique has been publicly attributed, though the mechanism aligns with T1190 (Exploit Public-Facing Application — a technique where attackers target internet-accessible software to gain initial access).
Who Is Affected
MetInfo CMS versions 7.9, 8.0, and 8.1 are vulnerable. The patched release is version 8.1.1 or later. Versions prior to 7.9 have not been confirmed vulnerable; administrators running older major versions should nonetheless review their exposure given the vendor's general update cadence.
Approximately 2,000 MetInfo instances are publicly accessible on the internet, according to scanning data cited by VulnCheck. The overwhelming majority are hosted by organizations in China, where MetInfo has a substantial market presence as a domestic CMS for corporate websites, government portals, and e-commerce platforms. The narrower geographic footprint relative to global CMS platforms like WordPress does not reduce the severity of the risk for affected organizations — a CVSS 9.8 unauthenticated RCE is a critical exposure regardless of scale.
Deployments running the WeChat plugin with the /cache/weixin/ directory present are at highest risk. Cloud-hosted MetInfo instances are affected to the same degree as on-premises installations.
What You Should Do Right Now
- Upgrade MetInfo to version 8.1.1 or later. Download the patch from the official MetInfo website. Apply the update immediately on any internet-facing instance. If you are running MetInfo 7.9 or 8.0, check the vendor's upgrade path; a direct upgrade to the latest stable release is recommended over incremental patching.
- Check whether the WeChat plugin is installed and the cache directory exists. If the plugin is not in use, disable it and remove the
/cache/weixin/directory to eliminate the attack surface even if patching is delayed:
“bash ls -la /path/to/metinfo/cache/weixin/ ` If the directory is present and the plugin is unnecessary, remove it: `bash rm -rf /path/to/metinfo/cache/weixin/ “
- Search server logs for exploitation attempts. Look for HTTP requests targeting the vulnerable endpoint:
“bash grep -Ei "entrance\.php.weixin.doapi" /var/log/nginx/access.log /var/log/apache2/access.log 2>/dev/null “ Any matches — especially those with large POST bodies or unusual parameter values — warrant immediate investigation.
- Scan the cache directory for PHP webshells. A successful exploit would write PHP files into
/cache/weixin/. Look for recently created.phpfiles:
“bash find /path/to/metinfo/cache/weixin/ -name "*.php" -newer /path/to/metinfo/app/system/entrance.php “ Any PHP file in that directory that predates your installation of the WeChat plugin should be treated as a potential indicator of compromise.
- Restrict web server permissions on the cache directory. If patching is not immediately possible, consider removing execute permissions on the cache directory at the web server level so that even if a PHP file is written, it cannot be served or executed:
“bash chmod 755 /path/to/metinfo/cache/weixin/ “ Note that this is a workaround, not a fix; patch as soon as possible.
- If compromise is suspected, treat the host as compromised. Isolate the server, preserve logs and filesystem snapshots for forensic analysis, rotate all credentials (database passwords, API keys, admin accounts) that were accessible from the server, and conduct a full incident response engagement before returning the server to production.
Background: Understanding the Risk
PHP code injection vulnerabilities in CMS platforms are not new, but they remain consistently dangerous because of how CMS platforms handle user input at scale. A CMS by design accepts input from many sources — form submissions, API callbacks, plugin hooks — and passes that input through processing pipelines. When sanitization is missing or insufficient at any point in that pipeline, and when the processed output ends up in a file that the PHP interpreter later executes, an attacker gains a reliable path to arbitrary code execution.
The WeChat integration vector is particularly notable. Millions of websites in China use WeChat mini-program integrations to allow visitors to interact with site content through WeChat (a messaging and payments super-app with over one billion active users). The WeChat API callback endpoint must be reachable from the internet to function — it receives incoming data from WeChat's servers. This architectural requirement means the vulnerable endpoint cannot simply be firewalled off without breaking legitimate functionality for sites that need the integration.
MetInfo is not the only CMS to have suffered this class of vulnerability. Similar PHP code injection flaws have appeared in other widely-deployed open-source CMS platforms over the years, typically in plugin or integration code added after the core platform is established. The pattern is consistent: a third-party integration added for business functionality creates an unauthenticated inbound endpoint, that endpoint handles external data without sufficient validation, and an attacker discovers the path from controlled input to executable output.
The surge in exploitation activity observed on May 1, 2026 — more than three weeks after the patch was released — mirrors the exploitation patterns seen with other high-severity CMS vulnerabilities. There is typically a lag between patch release and mass exploitation because attackers need time to reverse-engineer the patch to understand exactly what was changed and where the vulnerability lies. Once that analysis is complete, weaponized exploit code can spread rapidly. The window between patch release (April 7) and exploitation surge (May 1) is consistent with this model.
For organizations running MetInfo, the patch has been available for nearly a month. The exploitation activity underway eliminates any ambiguity about urgency.
Conclusion
CVE-2026-29014 is a CVSS 9.8 unauthenticated PHP code injection vulnerability in MetInfo CMS 7.9 through 8.1 that allows full server takeover in a single HTTP request. Exploitation is confirmed and accelerating. Any organization running a vulnerable MetInfo instance — particularly those with the WeChat plugin installed — must patch to version 8.1.1 or later immediately; if patching cannot be done in the next 24 hours, removing or restricting the /cache/weixin/ directory is an essential interim step.
For any query contact us at contact@cipherssecurity.com
