WordPress Plugin Vulnerabilities

Allow PHP in Posts and Pages < 3.0.4 - Authenticated Remote Code Execution (RCE)

Description

The Allow PHP in Posts and Pages plugin for WordPress is vulnerable to Remote Code Execution via the 'php' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to execute code on the server.

Affects Plugins

Plugin icon
allow-php-in-posts-and-pages
No known fix

References

CVE
CVE-2023-4994
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/allow-php-in-posts-and-pages/allow-php-in-posts-and-pages-304-authenticated-subscriber-remote-code-execution-via-shortcode

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
9.9 (critical)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
508415d3-39fc-4c92-8de3-686db2a7e6c8

Timeline

Publicly Published
2023-09-15 (about 2 years ago)
Added
2023-09-20 (about 2 years ago)
Last Updated
2023-09-20 (about 2 years ago)

Other

Published
Title
Published
2022-10-03
Title
WP ALL Export Pro < 1.7.9 - Authenticated Code Injection
Published
2026-03-16
Title
Post Snippets – Custom WordPress Code Snippets Customizer < 4.0.13 - Authenticated (Contributor+) Remote Code Execution
Published
2024-12-05
Title
Pojo Forms < 1.4.8 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via form_preview_shortcode
Published
2024-01-16
Title
Display custom fields in the frontend – Post and User Profile Fields < 1.3.0 - Authenticated (Contributor+) Code Injection
Published
2025-09-22
Title
WP User Frontend < 4.1.13 - Authenticated (Subscriber+) Arbitrary Shortcode Execution