CVE-2023-53872

CRITICAL

Wp2Fac 1.0 - Command Injection

Title source: llm

Description

Wp2Fac 1.0 contains an OS command injection vulnerability in the send.php endpoint that allows remote attackers to execute arbitrary system commands. Attackers can inject shell commands through the 'numara' parameter by appending shell commands with '&' operators to execute malicious code.

Exploits (1)

exploitdb WORKING POC

by Ahmet Ümit BAYRAM · pythonwebappsphp

https://www.exploit-db.com/exploits/51717

View Code ZIP pw:eip

References (3)

[Various Sources] https://github.com/metinyesil/wp2fac

[Third Party Advisory] https://www.vulncheck.com/advisories/wpfac-os-command-injection-via-sendphp-endpoint

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/51717

Scores

CVSS v4 9.3

EPSS 0.0089

EPSS Percentile 75.5%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Details

CWE

CWE-78

Status published

Products (1)

wp2fac/Wp2Fac 1.0

Published Dec 15, 2025

Tracked Since Feb 18, 2026