WordPress Plugin Vulnerabilities

PHP to Page <= 0.3 - Authenticated (Subscriber+) Local File Inclusion to Remote Code Execution via Shortcode

Description

The PHP to Page plugin for WordPress is vulnerable Local File Inclusion to Remote Code Execution in versions up to, and including, 0.3 via the 'php-to-page' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to include local file and potentially execute code on the server. While subscribers may need to poison log files or otherwise get a file installed in order to achieve remote code execution, author and above users can upload files by default and achieve remote code execution easily.

Proof of Concept

Affects Plugins

Plugin icon
php-to-page
No known fix

References

CVE
CVE-2023-5199
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/83e5a0dc-fc51-4565-945f-190cf9175874

Classification

Type
RFI
OWASP top 10
A1: Injection
CWE
CWE-98
CVSS
9.9 (critical)

Miscellaneous

Original Researcher
István Márton
Verified
No
WPVDB ID
4c2e840a-869e-43e2-8810-aafd6e79e69e

Timeline

Publicly Published
2023-10-29 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2025-10-11 (about 7 months ago)

Other

Published
Title
Published
2014-08-01
Title
plugin wp-Table <= 1.43 - (inc_dir) RFI
Published
2026-02-25
Title
Playa | Beach & Pool Club WordPress Theme <= 1.3.9 - Unauthenticated Local File Inclusion
Published
2025-08-23
Title
Otaku <= 1.8.0 - Unauthenticated Local File Inclusion
Published
2025-12-26
Title
CedCommerce Integration for Good Market <= 1.0.6 - Unauthenticated Local File Inclusion
Published
2025-08-30
Title
Indutri < 1.3.0 - Unauthenticated Local File Inclusion