CVE-2011-10033

EXPLOITED

WordPress Plugin <=1.4.2 - Code Injection

Title source: llm

Description

The WordPress plugin is-human <= v1.4.2 contains an eval injection vulnerability in /is-human/engine.php that can be triggered via the 'type' parameter when the 'action' parameter is set to 'log-reset'. The root cause is unsafe use of eval() on user-controlled input, which can lead to execution of attacker-supplied PHP and OS commands. This may result in arbitrary code execution as the webserver user, site compromise, or data exfiltration. The is-human plugin was made defunct in June 2008 and is no longer available for download. This vulnerability was exploited in the wild in March 2012.

Exploits (1)

exploitdb WORKING POC VERIFIED

by neworder · textwebappsphp

https://www.exploit-db.com/exploits/17299

View Code ZIP pw:eip

References (5)

[Various Sources] https://web.archive.org/web/20120115212202/http://blog.spiderlabs.com/2012/01/honeypot-alert-is-human-wordpress-plugin-remote-command-execution-attack-detected.html

[Various Sources] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-alert-more-wordpress-is_human-plugin-remote-command-injection-attack-detected/

[Product] https://wordpress.org/plugins/is-human/

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/17299

[Third Party Advisory] https://www.vulncheck.com/advisories/wordpress-plugin-is-human-eval-injection-rce

Scores

EPSS 0.0014

EPSS Percentile 33.9%

Exploitation Intel

VulnCheck KEV 2012-03-12

Classification

CWE

CWE-95

Status draft

Timeline

Published Oct 15, 2025

Tracked Since Feb 18, 2026