CVE-2024-13890

HIGH

Allow PHP Execute <= 1.0 - Authenticated PHP Code Injection via Unfiltered HTML

Title source: llm

Description

The Allow PHP Execute plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.0. This is due to allowing PHP code to be entered by all users for whom unfiltered HTML is allowed. This makes it possible for authenticated attackers, with Editor-level access and above, to inject PHP code into posts and pages.

References (2)

Core 2

Core References

Product

https://plugins.trac.wordpress.org/browser/allow-php-execute/trunk/allow-php-execute.php#L10

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/412c39e9-9378-4c2c-817c-8d37f156af6e?source=cve

Scores

CVSS v3 7.2

EPSS 0.0043

EPSS Percentile 34.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (2)

sksdev/Allow PHP Execute < 1.0

sksdev/allow_php_execute 1.0

Published Mar 08, 2025

Tracked Since Feb 18, 2026