Platform
wordpress
Component
allow-php-in-posts-and-pages
Fixed in
3.0.5
CVE-2023-4994 is a critical Remote Code Execution (RCE) vulnerability discovered in the Allow PHP in Posts and Pages plugin for WordPress. This vulnerability allows authenticated attackers, even those with subscriber-level permissions, to execute arbitrary code on the server. The vulnerability affects versions up to and including 3.0.4. A patch is available, and immediate upgrade is recommended.
The impact of CVE-2023-4994 is severe. An attacker can leverage the 'php' shortcode to inject and execute malicious PHP code on a vulnerable WordPress site. This could lead to complete server compromise, including data exfiltration, website defacement, malware installation, and further lateral movement within the network. Given the plugin's functionality, this vulnerability bypasses typical WordPress security restrictions, making it particularly dangerous. The low permission requirement (subscriber level) significantly expands the potential attack surface.
CVE-2023-4994 was publicly disclosed on September 16, 2023. While no active exploitation campaigns have been definitively confirmed, the ease of exploitation and the plugin's popularity make it a likely target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is likely to emerge given the vulnerability's simplicity.
Exploit Status
EPSS
1.15% (78% percentile)
CVSS Vector
The primary mitigation for CVE-2023-4994 is to immediately upgrade the Allow PHP in Posts and Pages plugin to a version newer than 3.0.4. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider disabling the plugin entirely. As a temporary workaround, restrict access to the 'php' shortcode to only trusted administrators. Review server access logs for any suspicious activity related to the plugin. After upgrading, confirm the vulnerability is resolved by attempting to execute a simple PHP code snippet via the 'php' shortcode and verifying that it is not executed.
Update the Allow PHP in Posts and Pages plugin to the latest available version. This will resolve the remote code execution vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-4994 is a critical RCE vulnerability in the Allow PHP in Posts and Pages WordPress plugin, allowing attackers with subscriber permissions to execute code. It affects versions up to 3.0.4 and requires immediate attention.
If you are using the Allow PHP in Posts and Pages plugin in WordPress version 3.0.4 or earlier, you are vulnerable. Check your plugin version and upgrade immediately.
Upgrade the Allow PHP in Posts and Pages plugin to a version greater than 3.0.4. If upgrading is not possible, disable the plugin as a temporary workaround.
While no confirmed active exploitation campaigns are currently known, the vulnerability's ease of exploitation makes it a likely target. Monitor your systems closely.
Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and update information regarding CVE-2023-4994.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.