Platform
wordpress
Component
easy-php-settings
Fixed in
1.0.5
CVE-2026-3352 is a PHP Code Injection vulnerability affecting the Easy PHP Settings plugin for WordPress. This vulnerability allows authenticated attackers with Administrator-level access to inject malicious PHP code into the WordPress environment. Versions 1.0.0 through 1.0.4 are vulnerable, and a fix is available in version 1.0.5.
Successful exploitation of CVE-2026-3352 allows an authenticated administrator to execute arbitrary PHP code on the WordPress server. This can lead to complete compromise of the web server, including data exfiltration, modification of website content, and installation of backdoors. The attacker could potentially gain full control over the WordPress installation and the underlying server, leading to significant data breaches and service disruption. The lack of proper sanitization of wpmemorylimit and wpmaxmemory_limit settings directly enables this code injection.
CVE-2026-3352 was publicly disclosed on 2026-03-07. There are currently no known public exploits or active campaigns targeting this vulnerability. Its inclusion on KEV is pending. The vulnerability's reliance on administrator access limits its immediate exploitability, but the potential impact warrants prompt remediation.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3352 is to immediately upgrade the Easy PHP Settings plugin to version 1.0.5 or later. If upgrading is not immediately feasible, consider temporarily restricting administrator access to the plugin's settings page. While not a complete solution, this can reduce the attack surface. Review wp-config.php for any unexpected or suspicious code. Monitor WordPress logs for unusual PHP execution patterns. After upgrading, confirm the fix by attempting to modify the wpmemorylimit and wpmaxmemory_limit settings with a single quote character; the plugin should now properly sanitize the input.
Update to version 1.0.5, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3352 is a vulnerability in the Easy PHP Settings WordPress plugin allowing authenticated administrators to inject PHP code due to insufficient input validation. It has a HIGH severity rating (CVSS 7.2).
You are affected if you are using Easy PHP Settings plugin versions 1.0.0 through 1.0.4 on your WordPress website and have administrator-level access.
Upgrade the Easy PHP Settings plugin to version 1.0.5 or later to resolve the vulnerability. Restrict administrator access if immediate upgrade is not possible.
As of now, there are no known public exploits or active campaigns targeting CVE-2026-3352, but prompt remediation is still recommended.
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information regarding CVE-2026-3352.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.