WordPress Insert PHP Plugin (< 3.3.1) Unauthenticated PHP Code Injection via REST API

critical-cve-against-dependency · active

The WordPress Insert PHP plugin before version 3.3.1 contains a PHP code injection flaw that lets unauthenticated attackers run arbitrary PHP on the server by submitting crafted insert_php shortcodes through the WordPress REST API. This can lead to full server compromise.

Affected packages

• packagistinsert-phpupgrade to ≥ 3.3.1

Sources

• ghsahttps://github.com/advisories/GHSA-mxq7-4xcj-jccm
• nvdhttps://nvd.nist.gov/vuln/detail/CVE-2017-20251
• google-searchhttps://fr.wordpress.org/plugins/insert-php
• google-searchhttps://www.exploit-db.com/exploits/41308
• google-searchhttps://www.vulncheck.com/advisories/wordpress-insert-php-plugin-php-code-injection-via-rest-api