Critical severity9.9NVD Advisory· Published Oct 30, 2023· Updated Apr 8, 2026

CVE-2023-5199

Description

The PHP to Page plugin for WordPress is vulnerable Local File Inclusion to Remote Code Execution in versions up to, and including, 0.3 via the 'php-to-page' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to include local file and potentially execute code on the server. While subscribers may need to poison log files or otherwise get a file installed in order to achieve remote code execution, author and above users can upload files by default and achieve remote code execution easily.

Affected products

Php To Page Project/PHP To Page
cpe:2.3:a:php_to_page_project:php_to_page:*:*:*:*:*:wordpress:*:*
Range: <=0.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/php-to-page/trunk/php-to-page.phpnvdExploit
www.wordfence.com/threat-intel/vulnerabilities/id/83e5a0dc-fc51-4565-945f-190cf9175874nvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.643
epss	0.004
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000