CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
49.2%
The PHP to Page plugin for WordPress is vulnerable Local File Inclusion to Remote Code Execution in versions up to, and including, 0.3 via the ‘php-to-page’ shortcode. This allows authenticated attackers with subscriber-level permissions or above, to include local file and potentially execute code on the server. While subscribers may need to poison log files or otherwise get a file installed in order to achieve remote code execution, author and above users can upload files by default and achieve remote code execution easily.
Vendor | Product | Version | CPE |
---|---|---|---|
php_to_page_project | php_to_page | * | cpe:2.3:a:php_to_page_project:php_to_page:*:*:*:*:*:wordpress:*:* |
[
{
"vendor": "bloafer",
"product": "PHP to Page",
"versions": [
{
"version": "*",
"status": "affected",
"lessThanOrEqual": "0.3",
"versionType": "semver"
}
],
"defaultStatus": "unaffected"
}
]