PT-2023-31415 · WordPress · Allow Php In Posts/Pages
István Márton
+1
·
Published
2023-09-15
·
Updated
2023-09-20
·
CVE-2023-4994
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Allow PHP in Posts and Pages plugin for WordPress versions up to, and including, 3.0.4
Description
The issue allows authenticated attackers with subscriber-level permissions or above to execute code on the server via the
php shortcode. This enables remote code execution.Recommendations
For versions up to, and including, 3.0.4, update to a version later than 3.0.4 to resolve the issue.
As a temporary workaround, consider disabling the use of the
php shortcode until a patch is available.Fix
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Allow Php In Posts/Pages