Modx Revolution <=2.6.4 (Remote Code Execution)


Last week published two critical vulnerabilities affecting MODX Revolution <=2.6.4 which include remote script execution and file/directory removal. Hackers thereby able to compromise the website or spoil or delete files or directories.

In the MODX Revolution Version <= 2.6.4, filtering users have an incorrect access control capability in the parameters, which becomes the phpthumb class that causes the file to be created by using a custom file name and content. This attack seems to be usable by web request.

The vulnerability was reported on 11th July and the Modx development team has released the solution within 18 hours. Those who are under MODX Revolution 2.6.4 ad below should try to upgrade your version ASAP. (Keep a backup of your website before upgradation, so that if something goes wrong we can simply restore it)


  1. Upgrade to MODX Revolution 2.6.5 or above.
  2. If you’re on 2.6.4 you can replace the changed files included in the commits: here (can be manually updated on versions back to 2.3.0) and here (can be updated on versions back to 2.5.2). Please note, replacing files in other versions of MODX Revolution could lead to unintended consequences. It is always preferred to upgrade.
  3. Opsshield offers cPanel security plugins (cPGuard) with most advanced AI feature and ModSecurity Rules
Product: MODX Revolution

Severity: Critical
Versions: <=2.6.4
Vulnerability type(s): Remote Execution / File/Directory Deletion
Report date: 2018-Jul-11
Fixed date: 2018-Jul-12

Final words

If you have not updated Modx to latest version, please update it as soon as possible, else hackers will compromise your website. Also Upgrading to 2.6.5 should be considered mandatory.

Websites that using Malware Expert – ModSecurity rules are protected against this attack.