A Critical Severity Remote Code Execution (RCE) vulnerability has been identified in the WordPress Allow PHP in Posts and Pages Plugin. This vulnerability could allow a malicious actor to execute commands on the target website, potentially gaining backdoor access and taking full control of the website.

The Remote Code Execution vulnerability was identified and reported by Lana Codes.

The vulnerability is an RCE vulnerability that occurs in the allowphp.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to execute arbitrary commands on the target website.


The vulnerability has a CVSS 3.1 score of 9.9, which is considered to be critical. This means that the vulnerability is highly exploitable and could have a severe impact on the affected system.

Affected Versions:

The vulnerability affects all versions of the Allow PHP in Posts and Pages Plugin.

Plugin Closure:

To protect the WordPress community, the Allow PHP in Posts and Pages Plugin has been permanently closed and is no longer available for download or activation as of February 15, 2019. This closure was enacted due to a violation of WordPress plugin guidelines. It is of utmost importance that users comply with this closure and remove the plugin from WordPress installation immediately.


An attacker who successfully exploits this vulnerability could:

  • Execute arbitrary commands on the target website, which could allow them to:
    • Install or uninstall plugins or themes.
    • Modify or delete files.
    • Create or delete user accounts.
    • Take full control of the website.


Strongly advise WordPress website administrators to take the following actions:

  1. Deactivate and Delete the Plugin: Users of the Allow PHP in Posts and Pages Plugin are strongly advised to deactivate and delete the plugin as soon as possible. This plugin has been closed as of February 15, 2019, and is not available for download.
  2. Security Audit: Conduct a comprehensive security audit of the WordPress site to identify any signs of compromise or unauthorized access.
  3. Database Check: Examine the WordPress database for any suspicious activities or unauthorized access. Change database passwords and credentials as necessary.
  4. Stay Informed: Remain informed about security updates and vulnerabilities related to WordPress plugins and themes.