A critical Remote Code Execution (RCE) vulnerability has been identified in the PHP to Page plugin. This vulnerability could allow a malicious actor to execute commands on the target website, which could lead to full control of the website.

Lana Codes discovered and reported this vulnerability.

This vulnerability is caused by a flaw in the way that the PHP to Page plugin handles user input. The vulnerability allows an attacker to exploit a flaw in the plugin’s code to execute arbitrary commands on the affected website.


Critical (CVSS 3.1 score of 9.9)

Affected Versions

All versions of the PHP to Page plugin


If a malicious actor is able to exploit this vulnerability, they could:

  • Execute arbitrary commands on the affected website.
  • Gain backdoor access to the website.
  • Take full control of the website.


In response to this critical security alert, the following actions are advised:

  1. Disable the Plugin: Disable the PHP to Page plugin immediately. There is no patched version available at this time.
  2. Search for Updates: Keep a close eye on the WordPress plugin repository for updates related to the PHP to Page Plugin. While there may not be a solution currently, developers might release a patched version in the future.
  3. Plugin Alternatives: Investigate potential alternatives to the PHP to Page Plugin. The WordPress ecosystem offers a wide array of plugins with similar functionalities. Research and consider transitioning to a more secure option.
  4. Backup and Recovery Plan: Implement a robust backup and recovery strategy for the website. Backups can provide a safety net in case of any security incident.
  5. Vigilance and Monitoring: Stay vigilant for any unusual activities or changes WordPress site. Continuous monitoring and security audits can help detect potential breaches.