Remote Code Execution (RCE) vulnerability in WordPress Allow PHP in Posts and Pages Plugin

A Critical Severity Remote Code Execution (RCE) vulnerability has been identified in the WordPress Allow PHP in Posts and Pages Plugin. This vulnerability could allow a malicious actor to execute commands on the target website, potentially gaining backdoor access and taking full control of the website.

The Remote Code Execution vulnerability was identified and reported by Lana Codes.

The vulnerability is an RCE vulnerability that occurs in the allowphp.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to execute arbitrary commands on the target website.

Severity:

The vulnerability has a CVSS 3.1 score of 9.9, which is considered to be critical. This means that the vulnerability is highly exploitable and could have a severe impact on the affected system.

Affected Versions:

The vulnerability affects all versions of the Allow PHP in Posts and Pages Plugin.

Plugin Closure:

To protect the WordPress community, the Allow PHP in Posts and Pages Plugin has been permanently closed and is no longer available for download or activation as of February 15, 2019. This closure was enacted due to a violation of WordPress plugin guidelines. It is of utmost importance that users comply with this closure and remove the plugin from WordPress installation immediately.

Impact:

An attacker who successfully exploits this vulnerability could:

Execute arbitrary commands on the target website, which could allow them to:
- Install or uninstall plugins or themes.
- Modify or delete files.
- Create or delete user accounts.
- Take full control of the website.

Recommendation:

Strongly advise WordPress website administrators to take the following actions:

Deactivate and Delete the Plugin: Users of the Allow PHP in Posts and Pages Plugin are strongly advised to deactivate and delete the plugin as soon as possible. This plugin has been closed as of February 15, 2019, and is not available for download.
Security Audit: Conduct a comprehensive security audit of the WordPress site to identify any signs of compromise or unauthorized access.
Database Check: Examine the WordPress database for any suspicious activities or unauthorized access. Change database passwords and credentials as necessary.
Stay Informed: Remain informed about security updates and vulnerabilities related to WordPress plugins and themes.

Remote Code Execution (RCE) vulnerability in WordPress Allow PHP in Posts and Pages Plugin

Severity:

Affected Versions:

Plugin Closure:

Impact:

Recommendation:

Related Articles

Cross-Site Scripting (XSS) vulnerability in WordPress Funnelforms Free Plugin

Local File Inclusion (LFI) vulnerability in WordPress Ultimate Addons for WPBakery Page Builder Plugin

WordPress Booking Calendar Plugin Cross-Site Scripting (XSS) Vulnerability

Arbitrary File Upload vulnerability in WordPress Export Import Menus Plugin

Cross Site Scripting (XSS) Vulnerability in Bus Ticket Booking with Seat Reservation Plugin

WordPress WP Matterport Shortcode Plugin Cross-Site Scripting (XSS) Vulnerability

Categories

Latest Blog Updates

Unmasking a Persistent Malware Attack on a WordPress Website

Investigating and Resolving High CPU Usage in WordPress Due to Malicious Crawlers

Unmasking a Hidden Malware Attack Targeting Users from Search Results

Critical Broken Access Control Vulnerability in WP Travel Plugin

Critical Broken Access Control Vulnerability in WooODT Lite Plugin

Critical Local File Inclusion Vulnerability in HTML filter and csv-file search Plugin

Critical Remote Code Execution Vulnerability in PHP to Page Plugin