CVE-2017-20251
CriticalCVSS 9.8Summary
The Insert PHP plugin for WordPress versions before 3.3.1 contains a PHP code injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes through the WordPress REST API.
Risk Assessment
Attackers can send POST requests to the wp-json/wp/v2/posts endpoint with crafted content, potentially leading to remote code execution on the server, jeopardizing the security of the entire application.
Recommendation
It is recommended to update the Insert PHP plugin to version 3.3.1 or later to mitigate this vulnerability and to monitor server logs for potential attack attempts.
Original NVD description (English source)
WordPress Insert PHP plugin versions before 3.3.1 contain a PHP code injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes through the WordPress REST API. Attackers can send POST requests to the wp-json/wp/v2/posts endpoint with crafted content containing insert_php shortcodes to include and execute remote PHP files on the server.

