Menu

React, etc. Tech Stack

React, Flux, GraphQL, Hack, HHVM...? All of this and more!

Popular WordPress plugin allows authenticated users to execute any PHP on page load

The WordPress plugin Insert PHP allows users to embed WordPress into posts and pages. The code is annotated with [insert_php] in the rich text editor and the code is executed upon loading of the page with the PHP eval function.

Now it has been reported that the Insert PHP plugin is vulnerable and will allow an authenticated used with Contributer (or higher) role to run any PHP code on a WordPress site. Obviously as the attacker can execute PHP, they can use their code to bypass any security functionalities within WordPress itself.

The issue was uncovered during the Summer of Pwnage event in July 2016. This event aims to find security issues within Open Source software. There is currently no fix available. The author of the Insert PHP WordPress Plugin has indicated that this issue will not be resolved/mitigated.

Considering the insert PHP plugin is in active use on over 100,000 sites, this is reckless and displays while WordPress itself may be relatively secure, users relying on shoddy plugins such as this one are not. While unmaintained software is always vulnerable to attacks; In this case even updating will not be enough as the plugin developers are ignoring the issue.

Read the complete report from the Summer of Pwnage site: Insert PHP WordPress Plugin allows authenticated user to execute arbitrary PHP

Written by Jorgé on Tuesday August 2, 2016

Permalink -

« TypeScript over JavaScript and Babel? - Introduction to Map, Filter and Reduce in JavaScript »