CVE-2026-29014, a CVSS 9.8 critical unauthenticated PHP code injection vulnerability in MetInfo CMS versions 7.9, 8.0, and 8.1, has been actively exploited in the wild since April 25, 2026, with a significant surge in attack volume detected on May 1 targeting systems in China and Hong Kong. The flaw was patched on April 7, 2026 — leaving an 18-day window during which attackers began weaponizing the vulnerability against unpatched deployments. Automated probing has been detected against U.S. and Singapore honeypots, indicating expanding attack scope beyond the initial target region.
CVE-2026-29014: Unauthenticated PHP Code Injection via WeChat Plugin Delivers Full Server Control
The vulnerability originates from insufficient input sanitization in the WeChat plugin integration script bundled with MetInfo CMS. An unauthenticated remote attacker can submit crafted input to the plugin endpoint, injecting and executing arbitrary PHP code on the server without supplying any credentials. Successful exploitation gives the attacker full server control — the ability to read, modify, or delete files; execute system commands; establish persistence; and pivot to other systems accessible from the compromised host.
Exploitation requires the /cache/weixin/ directory to be present on the server, a condition that exists on non-Windows MetInfo installations with the WeChat plugin active. The flaw affects MetInfo CMS versions 7.9, 8.0, and 8.1.
Eighteen-Day Exploitation Window After Patch Release
The patch for CVE-2026-29014 was released on April 7, 2026. Active exploitation was first detected on April 25, 2026 — eighteen days after the patch became available. The gap between patch release and the onset of exploitation confirms a documented pattern in CMS vulnerability abuse: attackers monitor patch advisories, reverse-engineer the fixed code to reconstruct the vulnerable behavior, and begin automated scanning and exploitation against the unpatched population within days to weeks of patch publication.
A significant surge in exploitation activity was recorded on May 1, 2026. The surge involved concentrated attacks against systems in China and Hong Kong, consistent with the geographic distribution of MetInfo CMS deployments.
Approximately 2,000 Exposed MetInfo Instances Targeted; U.S. and Singapore Honeypots Probed
Researchers estimate approximately 2,000 MetInfo CMS instances are accessible online and potentially exposed to exploitation. The primary attack volume has been directed at systems in China and Hong Kong. However, automated probing of U.S. and Singapore honeypots has also been detected, indicating that attackers are conducting broad scanning beyond the primary target geography and that unpatched instances in other regions face active reconnaissance.
CVE-2026-29014 Exploited via Automated Scanning Against MetInfo’s WeChat Plugin Endpoint
The exploitation of CVE-2026-29014 has involved automated probing — scanning large IP ranges for the presence of MetInfo CMS and the WeChat plugin endpoint, then submitting injection payloads against discovered targets. Automated exploitation at this scale means that unpatched, internet-accessible MetInfo deployments anywhere in the world face active attack attempts, not only those in the primary target region.
The unauthenticated nature of the flaw means no prior access is required. An attacker identifying a vulnerable MetInfo CMS instance from an internet scan can immediately attempt exploitation without needing credentials, valid sessions, or prior reconnaissance of the target organization.
MetInfo CMS Operators Should Confirm Patch Status Immediately
The April 7, 2026 patch for CVE-2026-29014 is the authoritative remediation for this vulnerability. Organizations running MetInfo CMS 7.9, 8.0, or 8.1 who have not applied the April patch are running actively exploited software as of May 5, 2026. With an estimated 2,000 exposed instances online and automated scanning confirmed across multiple geographic regions, unpatched systems face near-certain exploitation attempts.
