CVE-2017-20251

CRITICAL

WordPress Insert PHP Plugin 4.7.0 PHP Code Injection via REST API

Title source: cna

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-20251. PoCs published by CrashBandicot, Polosss.

AI-analyzed exploit summary This exploit leverages the WordPress REST API vulnerability (CVE-2017-20251) to inject malicious PHP code via the 'Insert PHP' plugin. The PoC demonstrates how an attacker can send a crafted HTTP POST request to execute arbitrary PHP code on a vulnerable WordPress site.

Description

WordPress Insert PHP plugin versions before 3.3.1 contain a PHP code injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes through the WordPress REST API. Attackers can send POST requests to the wp-json/wp/v2/posts endpoint with crafted content containing insert_php shortcodes to include and execute remote PHP files on the server.

Exploits (2)

exploitdb WORKING POC

by CrashBandicot · textwebappsphp

https://www.exploit-db.com/exploits/41308

View Code ZIP pw:eip

This exploit leverages the WordPress REST API vulnerability (CVE-2017-20251) to inject malicious PHP code via the 'Insert PHP' plugin. The PoC demonstrates how an attacker can send a crafted HTTP POST request to execute arbitrary PHP code on a vulnerable WordPress site.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WordPress with Insert PHP plugin <3.3.1

No auth needed

Prerequisites: WordPress REST API enabled · Insert PHP plugin version <3.3.1 installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 09, 2026 Full analysis →

github WORKING POC

by Polosss · shellpoc

https://github.com/Polosss/By-Poloss..-..CVE-2017-20251

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2017-20251, demonstrating PHP code injection via the Insert PHP plugin's [insert_php] shortcode. The script automates post creation with malicious shortcode content and verifies RCE by checking for a marker file.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Insert PHP plugin (now Woody Code Snippets) < 3.3.1

Auth required

Prerequisites: WordPress site with vulnerable plugin · Contributor+ access or REST API access (WP < 4.7)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 09, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-41308

https://www.exploit-db.com/exploits/41308

Product product

Official Product Homepage

https://fr.wordpress.org/plugins/insert-php/

Third Party Advisory third-party-advisory

VulnCheck Advisory: WordPress Insert PHP Plugin 4.7.0 PHP Code Injection via REST API

https://www.vulncheck.com/advisories/wordpress-insert-php-plugin-php-code-injection-via-rest-api

Scores

CVSS v3 9.8

EPSS 0.0007

EPSS Percentile 21.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-94

Status published

Products (1)

Themeisle/Woody Code Snippets < 3.3.1

Published Jun 09, 2026

Tracked Since Jun 09, 2026