phpWCMS open source web content management system
This is the outdated phpwcms project site.
Something new is coming soon. Always keep in mind to check GitHub for the newest release.
Possible security problems reported
Patched release is on the way

A security problem was reported. Please visit phpwcms forum to get all information neccessary to fix this. Patched release is in preparation.

Please check these 2 points:
Use the new form generator (only available in release 1.2.x) - if you do so you can delete include/inc_act/act_formmailer.php
Delete directory phpwcms_code_snippets - is not used anywhere by phpwcms

Related information

What you can do to make your release more secure

One of the main problems might be the possibility to inject phpwcms by using external PHP code. Here is a way to remove such code from all GET and POST vars.

Add the following lines of code to your index.php:

[Update] Before you add the function check if the function still exists in the code and replace it by the new, better ones. Otherwise a PHP error message might occur like:

Fatal error: Cannot redeclare remove_unsecure_rptags() 
(previously declared in /path/to/phpwcmsneu/index.php:309) 
in /path/to/phpwcmsneu/include/inc_lib/ 
on line 879

function remove_unsecure_rptags($check) {
  $check = preg_replace('/{PHP:(.*?)}/i', '$1', $check);
  $check = preg_replace('/{PHPVAR:(.*?)}/si', '$1', $check);
  $check = preg_replace('/[PHP](.*?)[/PHP]/si', '$1', $check);
  $check = preg_replace('/{URL:(.*?)}/i', '$1', $check);
  $check = str_replace('[PHP]', '[ PHP ]', $check);
  $check = str_replace('[/PHP]', '[ /PHP ]', $check);
  $check = str_replace('{PHP:', '{ PHP :', $check);
  $check = str_replace('{PHPVAR:', '{ PHPVAR :', $check);
  $check = str_replace('{URL:', '{ URL :', $check);
  return $check;

function cleanupPOSTandGET() {
  if(isset($_POST) && count($_POST)) {
    foreach($_POST as $key => $value) {
      if(!is_array($_POST[$key])) {
        $_POST[$key] = remove_unsecure_rptags($value);
  if(isset($_GET) && count($_GET)) {
    foreach($_GET as $key => $value) {
      $_GET[$key] = remove_unsecure_rptags($value);

You should check if both functions are still defined. If so - please update those existing functions by the new one.

Search for the line of code where the is included. Add the following line of code so that it looks like:

require_once ("include/inc_front/");
// add this new line of code