CVE-2017-20251 in Woody Code Snippets
Summary
by MITRE • 06/09/2026
WordPress Insert PHP plugin versions before 3.3.1 contain a PHP code injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes through the WordPress REST API. Attackers can send POST requests to the wp-json/wp/v2/posts endpoint with crafted content containing insert_php shortcodes to include and execute remote PHP files on the server.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/09/2026
The WordPress Insert PHP plugin vulnerability represents a critical security flaw that has significant implications for WordPress installations. This vulnerability affects versions prior to 3.3.1 and stems from inadequate input validation within the plugin's shortcode processing mechanism. The issue manifests when the plugin fails to properly sanitize user-supplied content that gets processed through the WordPress REST API endpoint, creating an avenue for remote code execution attacks. The vulnerability specifically targets the wp-json/wp/v2/posts endpoint which is part of WordPress's REST API infrastructure designed to facilitate programmatic access to content management functions.
The technical exploitation of this vulnerability occurs through a well-defined attack pattern that leverages the WordPress REST API's openness to unauthenticated requests. Attackers can craft malicious POST requests to the vulnerable endpoint containing specially formatted insert_php shortcodes that reference external PHP files. These shortcodes are processed by the plugin without proper sanitization, allowing the inclusion and execution of arbitrary PHP code on the target server. The vulnerability essentially bypasses WordPress's normal security controls by utilizing legitimate API endpoints that are intended for content creation and modification operations. This type of vulnerability falls under the CWE-94 category of "Improper Control of Generation of Code" and represents a classic code injection flaw that enables remote command execution.
The operational impact of this vulnerability extends far beyond simple code execution, as it provides attackers with complete control over affected WordPress installations. Once exploited, attackers can upload malicious files, modify existing content, steal sensitive data, and potentially use the compromised server as a launchpad for further attacks within the network. The unauthenticated nature of this vulnerability means that any user with access to the WordPress site can exploit it without requiring valid credentials, making it particularly dangerous for publicly accessible websites. The attack vector through the REST API also makes it difficult to detect through traditional security monitoring as legitimate API traffic patterns are being exploited for malicious purposes. This vulnerability directly aligns with ATT&CK technique T1059.007 for "Command and Scripting Interpreter: PHP" and represents a significant threat to WordPress security ecosystems.
Mitigation strategies for this vulnerability require immediate action to patch the affected plugin to version 3.3.1 or later, which contains the necessary input validation fixes. System administrators should also implement network-level restrictions to limit access to the WordPress REST API endpoints, particularly for unauthenticated requests. Additional protective measures include monitoring API traffic for suspicious shortcode patterns, implementing web application firewalls with rules to detect and block malicious shortcode injections, and conducting regular security audits of installed plugins. Organizations should also consider implementing rate limiting on API endpoints and ensuring that only necessary REST API functionality is exposed to public networks. The vulnerability underscores the importance of keeping all WordPress components updated and following security best practices for plugin management and API security.