WordPress Plugin Vulnerabilities

AccessAlly < 3.3.2 - Unauthenticated Arbitrary PHP Code Execution

Description

Prior to version 3.3.2, this plugin allowed arbitrary PHP code execution through the login_error function.

This exploit is out in the wild now and actively being exploited.

Proof of Concept

Affects Plugins

Plugin icon
accessally
Fixed in 3.3.2

References

URL
https://accessally.com/blog/accessally-release-notes-3-3-2/

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
10.0 (critical)

Miscellaneous

Original Researcher
Brad Patton
Submitter
Brad Patton
Verified
No
WPVDB ID
c644de6d-098d-4889-b75d-53fd2b89ff4d

Timeline

Publicly Published
2020-01-21 (about 5 years ago)
Added
2020-01-21 (about 5 years ago)
Last Updated
2021-03-26 (about 4 years ago)

Other

Published
Title
Published
2024-10-25
Title
Uix Shortcodes < 2.0.0 - Unauthenticated Arbitrary Shortcode Execution
Published
2024-08-23
Title
Image Hotspot by DevVN < 1.2.6 - Authenticated (Author+) PHP Object Injection
Published
2025-12-23
Title
Print Invoice & Delivery Notes for WooCommerce < 5.9.0 - Unauthenticated Remote Code Execution
Published
2023-12-06
Title
Elementor < 3.18.2 - Contributor+ Arbitrary File Upload to RCE via Template Import
Published
2015-04-02
Title
SimpleCart - File Upload & Execution