Plateforme
wordpress
Composant
allow-php-in-posts-and-pages
Corrigé dans
3.0.5
CVE-2023-4994 is a critical Remote Code Execution (RCE) vulnerability discovered in the Allow PHP in Posts and Pages plugin for WordPress. This vulnerability allows authenticated attackers, even those with subscriber-level permissions, to execute arbitrary code on the server. The vulnerability affects versions up to and including 3.0.4. A patch is available, and immediate upgrade is recommended.
The impact of CVE-2023-4994 is severe. An attacker can leverage the 'php' shortcode to inject and execute malicious PHP code on a vulnerable WordPress site. This could lead to complete server compromise, including data exfiltration, website defacement, malware installation, and further lateral movement within the network. Given the plugin's functionality, this vulnerability bypasses typical WordPress security restrictions, making it particularly dangerous. The low permission requirement (subscriber level) significantly expands the potential attack surface.
CVE-2023-4994 was publicly disclosed on September 16, 2023. While no active exploitation campaigns have been definitively confirmed, the ease of exploitation and the plugin's popularity make it a likely target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is likely to emerge given the vulnerability's simplicity.
WordPress websites utilizing the Allow PHP in Posts and Pages plugin, particularly those with subscriber-level users who have access to create or edit posts and pages, are at significant risk. Shared hosting environments where plugin updates are not consistently managed are also particularly vulnerable.
• wordpress / composer / npm:
grep -r 'php shortcode' /var/www/html/wp-content/plugins/allow-php-in-posts-and-pages/• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'allow-php-in-posts-and-pages'• wordpress / composer / npm:
wp plugin update allow-php-in-posts-and-pagesdisclosure
Statut de l'Exploit
EPSS
1.15% (percentile 78%)
Vecteur CVSS
The primary mitigation for CVE-2023-4994 is to immediately upgrade the Allow PHP in Posts and Pages plugin to a version newer than 3.0.4. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider disabling the plugin entirely. As a temporary workaround, restrict access to the 'php' shortcode to only trusted administrators. Review server access logs for any suspicious activity related to the plugin. After upgrading, confirm the vulnerability is resolved by attempting to execute a simple PHP code snippet via the 'php' shortcode and verifying that it is not executed.
Actualice el plugin Allow PHP in Posts and Pages a la última versión disponible. Esto solucionará la vulnerabilidad de ejecución remota de código.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2023-4994 is a critical RCE vulnerability in the Allow PHP in Posts and Pages WordPress plugin, allowing attackers with subscriber permissions to execute code. It affects versions up to 3.0.4 and requires immediate attention.
If you are using the Allow PHP in Posts and Pages plugin in WordPress version 3.0.4 or earlier, you are vulnerable. Check your plugin version and upgrade immediately.
Upgrade the Allow PHP in Posts and Pages plugin to a version greater than 3.0.4. If upgrading is not possible, disable the plugin as a temporary workaround.
While no confirmed active exploitation campaigns are currently known, the vulnerability's ease of exploitation makes it a likely target. Monitor your systems closely.
Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and update information regarding CVE-2023-4994.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.