CVE-2023-24421 in PHP Compatibility Checker Plugin
Summary
by MITRE • 07/11/2023
Cross-Site Request Forgery (CSRF) vulnerability in WP Engine PHP Compatibility Checker plugin <= 1.5.2 versions.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/23/2026
This Cross-Site Request Forgery vulnerability exists within the WP Engine PHP Compatibility Checker plugin version 1.5.2 and earlier, representing a critical security flaw that allows authenticated attackers to execute unauthorized actions on behalf of legitimate users. The vulnerability stems from insufficient validation of HTTP request origins and lack of proper anti-CSRF token implementation in the plugin's administrative interfaces. Attackers can craft malicious requests that appear to originate from legitimate administrative sessions, exploiting the trust relationship between the WordPress admin interface and the affected plugin.
The technical flaw manifests through the absence of CSRF protection mechanisms specifically within the plugin's settings and configuration pages where administrative actions are processed. When administrators access these pages, the plugin fails to validate that requests originate from the intended source or require a valid anti-CSRF token for processing sensitive operations. This allows attackers who have gained access to an administrator session cookie or can trick administrators into visiting malicious sites to perform unauthorized modifications to PHP compatibility settings, potentially leading to system compromise or denial of service conditions.
The operational impact of this vulnerability is significant as it directly undermines the integrity of WordPress administrative functions and could enable attackers to manipulate plugin configurations, potentially disrupting website operations or creating backdoor access points. Given that the WP Engine PHP Compatibility Checker plugin is designed to work with various PHP versions and compatibility settings, an attacker could exploit this flaw to modify critical PHP environment configurations, leading to application instability or security degradation. The vulnerability affects all WordPress installations running the affected plugin version and poses a particular risk in environments where administrators frequently access administrative interfaces from shared or public computing devices.
Security mitigations for this vulnerability include immediate upgrade to WP Engine PHP Compatibility Checker plugin version 1.5.3 or later, which implements proper CSRF token validation mechanisms and origin verification. Administrators should also implement additional security measures such as enabling two-factor authentication for administrative accounts, restricting administrative access through IP whitelisting, and monitoring for suspicious administrative activities. The vulnerability aligns with CWE-352 which specifically addresses Cross-Site Request Forgery weaknesses in web applications, and follows ATT&CK technique T1078 004 related to valid accounts exploitation through session hijacking and privilege escalation vectors.
Organizations should conduct comprehensive security assessments of their WordPress installations to identify all instances of the vulnerable plugin and ensure proper patch management procedures are in place. The vulnerability demonstrates the critical importance of implementing robust anti-CSRF protections in all administrative interfaces, particularly in plugins that handle sensitive system configuration changes. Regular security audits and automated vulnerability scanning tools should be employed to detect similar issues across the entire WordPress ecosystem, as this type of vulnerability commonly affects third-party plugins due to insufficient security testing during development phases.