CVE-2024-13890
Published: 08 March 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2024-13890 is a PHP Code Injection vulnerability (CWE-94) in the Allow PHP Execute plugin for WordPress, affecting all versions up to and including 1.0. The flaw arises because the plugin permits users with unfiltered HTML privileges to directly enter PHP code, bypassing WordPress's standard restrictions on script execution in posts and pages.
Authenticated attackers possessing Editor-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows arbitrary PHP code execution on the server, potentially leading to high-impact compromise of confidentiality, integrity, and availability, as indicated by the CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Advisories from sources like Wordfence provide threat intelligence on the vulnerability, while the plugin's source code at line 10 in allow-php-execute.php highlights the specific implementation allowing unfiltered PHP execution. No patches are referenced for versions beyond 1.0.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The PHP code injection vulnerability in the WordPress plugin directly enables exploitation of a public-facing application for arbitrary code execution (T1190) and facilitates web shell deployment via unrestricted PHP execution in posts/pages (T1505.003).