We are getting reports of active exploitation for recently patched PHP code injection vulnerability in MODX Evolution SB2016111601. The vulnerability is particularly dangerous as it allows permanently inject PHP code into database of vulnerable web application.
The exploit code spotted in the wild stores PHP backdoor into user configuration in database and executes it every time the vulnerable parseUserConfig() function is called.
As of November 30, 2016, this vulnerability is being exploited in the wild against websites powered by MODX Evolution.
We strongly recommend to install the latest security patch to avoid possible website compromise:
http://extras.evolution-cms.com/packages/core/security-fix.html