CVE Catalog

CVE-2017-20251

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Summary

The Insert PHP plugin for WordPress versions before 3.3.1 contains a PHP code injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes through the WordPress REST API.

Risk Assessment

Attackers can send POST requests to the wp-json/wp/v2/posts endpoint with crafted content, potentially leading to remote code execution on the server, jeopardizing the security of the entire application.

Recommendation

It is recommended to update the Insert PHP plugin to version 3.3.1 or later to mitigate this vulnerability and to monitor server logs for potential attack attempts.

Original NVD description (English source)

WordPress Insert PHP plugin versions before 3.3.1 contain a PHP code injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes through the WordPress REST API. Attackers can send POST requests to the wp-json/wp/v2/posts endpoint with crafted content containing insert_php shortcodes to include and execute remote PHP files on the server.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS