WordPress Plugin Vulnerabilities

PHP Execution <= 1.0.0 - Settings Update via CSRF

Description

The plugin does not have CSRF check when enabling low privilege users (such as subscriber) the ability to execute PHP code, which could allow attackers to make logged in admins enable such option via a SCRF attack

Affects Plugins

Plugin icon
php-execution-plugin
No known fix

References

CVE
CVE-2023-23879

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Mika
Verified
No
WPVDB ID
02138811-1ba6-42b3-b782-6d14647b96c6

Timeline

Publicly Published
2023-02-02 (about 3 years ago)
Added
2023-04-24 (about 3 years ago)
Last Updated
2023-04-24 (about 3 years ago)

Other

Published
Title
Published
2024-04-12
Title
RestroPress < 3.1.2.1 - Cross-Site Request Forgery via rpress_orders_list_table_process_bulk_actions
Published
2025-03-11
Title
Back To Top <= 2.0 - Cross-Site Request Forgery
Published
2025-11-29
Title
Quick Interest Slider < 3.1.6 - Cross-Site Request Forgery
Published
2023-10-03
Title
WP Pipes < 1.4.1 - CSRF
Published
2022-10-21
Title
OAuth Client by DigitialPixies <= 1.1.0 - CSRF