प्लेटफ़ॉर्म
wordpress
घटक
easy-php-settings
में ठीक किया गया
1.0.5
CVE-2026-3352 is a PHP Code Injection vulnerability affecting the Easy PHP Settings plugin for WordPress. This vulnerability allows authenticated attackers with Administrator-level access to inject malicious PHP code into the WordPress environment. Versions 1.0.0 through 1.0.4 are vulnerable, and a fix is available in version 1.0.5.
Successful exploitation of CVE-2026-3352 allows an authenticated administrator to execute arbitrary PHP code on the WordPress server. This can lead to complete compromise of the web server, including data exfiltration, modification of website content, and installation of backdoors. The attacker could potentially gain full control over the WordPress installation and the underlying server, leading to significant data breaches and service disruption. The lack of proper sanitization of wpmemorylimit and wpmaxmemory_limit settings directly enables this code injection.
CVE-2026-3352 was publicly disclosed on 2026-03-07. There are currently no known public exploits or active campaigns targeting this vulnerability. Its inclusion on KEV is pending. The vulnerability's reliance on administrator access limits its immediate exploitability, but the potential impact warrants prompt remediation.
WordPress websites utilizing the Easy PHP Settings plugin, particularly those with administrator accounts that have not been secured with strong passwords or multi-factor authentication, are at risk. Shared hosting environments where multiple WordPress installations share the same server resources are also at increased risk, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r "define('wp_memory_limit'," /var/www/html/wp-config.php• wordpress / composer / npm:
wp plugin list --status=active | grep "Easy PHP Settings"• wordpress / composer / npm:
wp plugin update --all• generic web:
Check wp-config.php for unexpected PHP code, particularly around memory limit settings.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.06% (18% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-3352 is to immediately upgrade the Easy PHP Settings plugin to version 1.0.5 or later. If upgrading is not immediately feasible, consider temporarily restricting administrator access to the plugin's settings page. While not a complete solution, this can reduce the attack surface. Review wp-config.php for any unexpected or suspicious code. Monitor WordPress logs for unusual PHP execution patterns. After upgrading, confirm the fix by attempting to modify the wpmemorylimit and wpmaxmemory_limit settings with a single quote character; the plugin should now properly sanitize the input.
संस्करण 1.0.5 में अपडेट करें, या एक नया पैच किया गया संस्करण
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-3352 is a vulnerability in the Easy PHP Settings WordPress plugin allowing authenticated administrators to inject PHP code due to insufficient input validation. It has a HIGH severity rating (CVSS 7.2).
You are affected if you are using Easy PHP Settings plugin versions 1.0.0 through 1.0.4 on your WordPress website and have administrator-level access.
Upgrade the Easy PHP Settings plugin to version 1.0.5 or later to resolve the vulnerability. Restrict administrator access if immediate upgrade is not possible.
As of now, there are no known public exploits or active campaigns targeting CVE-2026-3352, but prompt remediation is still recommended.
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information regarding CVE-2026-3352.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।