← back
CVE-2017-20251

WordPress Insert PHP Plugin 4.7.0 PHP Code Injection via REST API

CVSS 9.3 CRITICALEPSS 0.6%CWE-94
WordPress Insert PHP plugin versions before 3.3.1 contain a PHP code injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes through the WordPress REST API. Attackers can send POST requests to the wp-json/wp/v2/posts endpoint with crafted content containing insert_php shortcodes to include and execute remote PHP files on the server.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
Themeisle · Woody Code Snippets
public PoCs found2
githubgithub.com/Polosss/By-Poloss..-..CVE-2017-202511cve_referencewww.exploit-db.com/exploits/41308unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://fr.wordpress.org/plugins/insert-php/https://www.exploit-db.com/exploits/41308https://www.vulncheck.com/advisories/wordpress-insert-php-plugin-php-code-injection-via-rest-api