CVE-2026-3352

Name of the Vulnerable Software and Affected Versions Easy PHP Settings plugin for WordPress versions up to and including 1.0.4

Description The Easy PHP Settings plugin for WordPress is susceptible to PHP Code Injection due to inadequate input validation on the wp memory limit and wp max memory limit settings before they are written to wp-config.php. The sanitize text field() function does not filter single quotes, enabling an attacker to escape the string context within a PHP define() statement. This allows authenticated attackers with Administrator-level access or higher to inject and execute arbitrary PHP code on the server by modifying the wp-config.php file, which is loaded with every page request. The vulnerable method is update wp memory constants().

Recommendations Update the Easy PHP Settings plugin to a version beyond 1.0.4.