WordPress Plugin Vulnerabilities

Multiple Page Generator Plugin – MPG < 3.4.1 - Authenticated (Editor+) Remote Code Execution

Description

The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.4.0. This makes it possible for authenticated attackers, with editor-level access and above, to execute code on the server.

Affects Plugins

Plugin icon
multiple-pages-generator-by-porthas
Fixed in 3.4.1

References

CVE
CVE-2024-27951
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/155f765c-65ab-443a-a4b7-50d916e2903c

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Majed Refaea
Verified
No
WPVDB ID
ac598b8b-12e1-46cc-85f0-e8e7186e5edf

Timeline

Publicly Published
2024-03-13 (about 2 years ago)
Added
2024-03-20 (about 2 years ago)
Last Updated
2024-03-20 (about 2 years ago)

Other

Published
Title
Published
2026-01-13
Title
FluentForm < 6.1.12 - Unauthenticated Arbitrary Shortcode Execution
Published
2014-08-01
Title
WP-Super-Cache 1.3 - Remote Code Execution
Published
2024-08-23
Title
Image Hotspot by DevVN < 1.2.6 - Authenticated (Author+) PHP Object Injection
Published
2024-10-09
Title
External featured image from bing <= 1.0.2 - Authenticated (Subscriber+) Remote Code Execution
Published
2026-04-13
Title
Germanized for WooCommerce < 3.20.6 - Unauthenticated Arbitrary Shortcode Execution