PT-2025-42214 · WordPress · Is-Human
Published
2025-10-15
·
Updated
2025-10-15
·
CVE-2011-10033
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
WordPress plugin is-human versions 1.4.2 and earlier
Description
The WordPress plugin is-human versions 1.4.2 and earlier contains an eval injection issue in the
/is-human/engine.php file. This can be triggered via the type parameter when the action parameter is set to log-reset. The root cause is the unsafe use of the eval() function on user-controlled input, potentially allowing execution of attacker-supplied PHP and OS commands. This could lead to arbitrary code execution as the webserver user, site compromise, or data exfiltration. The is-human plugin was made defunct in June 2008 and is no longer available for download. This issue was exploited in the wild in March 2012.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
RCE
Eval Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Is-Human