MODX Revolution 2.X SQL Injection

By Jay Gilmore
March 14, 2014
MODX Revolution 2.X SQL Injection

Product: MODX Revolution
Severity: Extremely Critical
Versions: 2.0.0–2.2.12
Vulnerability type: SQL Injection
Report date: 2014-Mar-5
Fixed date: 2014-Mar-6

A vulnerability was discovered in MODX Revolution that allows users to inject and manipulate the database. Attackers could exploit this to alter or destroy data in the database.

Affected Releases
All MODX Revolution releases prior to and including 2.2.12.


  1. Upgrade to MODX Revolution 2.2.13
  2. To quickly patch 2.2.12 before a complete upgrade you can replace the modx.class.php from 2.2.13 via:
  3. For releases between 2.2.6 and 2.2.11 inclusive, you can replace the modx.class.php with the one from the relevant 'pl2' tag in the MODX Revolution repository. E.g. for v2.2.10-pl it would be".
  4. For releases prior to 2.2.6, please contact MODX Support for assistance patching your version, or to get help with an upgrade to 2.2.13

Special Note for MODX Cloud Users
If your sites are on MODX Cloud, we've taken steps to protect all sites from this issue, as always we recommend you upgrade to 2.2.13 at your earliest convenience.

We would like to thank MODX community member, Mark Ernst, for bringing this issue to our attention.

Additional Information
For additional information, please use the MODX Contact Form