CVE-2026-49774

Vulnerability

An improper control of code generation (code injection) vulnerability exists in the Filipe Nasc RD Station WordPress plugin, affecting versions from n/a through 5.6.0 [1]. This flaw can be exploited without authentication, allowing an attacker to inject and execute arbitrary code on the target server.

Exploitation

An unauthenticated remote attacker can send specially crafted HTTP requests to the vulnerable plugin endpoint, achieving remote code inclusion without requiring any prior credentials or user interaction [1]. The attack does not require any special network position beyond standard web access.

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the target website, which can lead to full compromise of the WordPress installation including file upload, data exfiltration, and complete site takeover [1]. The CVSS v3 score of 9.9 indicates critical severity with high impact on confidentiality, integrity, and availability.

Mitigation

The vulnerability is fixed in version 5.7.0, released after the disclosure [1]. Administrators should update the RD Station plugin to 5.7.0 or later immediately. For Patchstack users, an automated mitigation rule is available to block attacks until the update is applied [1]. No workaround other than updating is documented.