CVE-2023-5199 in PHP to Page Plugin
Summary
by MITRE • 10/30/2023
The PHP to Page plugin for WordPress is vulnerable Local File Inclusion to Remote Code Execution in versions up to, and including, 0.3 via the 'php-to-page' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to include local file and potentially execute code on the server. While subscribers may need to poison log files or otherwise get a file installed in order to achieve remote code execution, author and above users can upload files by default and achieve remote code execution easily.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/11/2026
The vulnerability identified as CVE-2023-5199 affects the PHP to Page plugin for WordPress, representing a critical security flaw that enables local file inclusion leading to remote code execution. This vulnerability exists within versions up to and including 0.3 of the plugin, creating a significant risk for WordPress installations that utilize this component. The vulnerability specifically manifests through the 'php-to-page' shortcode, which provides an attack vector that can be exploited by malicious actors with relatively low privileges within the WordPress environment.
The technical implementation of this vulnerability stems from improper input validation and sanitization within the plugin's shortcode handling mechanism. When the 'php-to-page' shortcode processes user-supplied parameters, it fails to adequately validate or sanitize the input, allowing attackers to manipulate file paths and include arbitrary local files. This weakness creates a direct pathway for attackers to access system files that should remain protected, potentially enabling them to read sensitive data or execute malicious code with the privileges of the web server process. The vulnerability operates under CWE-22, which classifies it as a path traversal or directory traversal issue, where an attacker can manipulate file paths to access unintended resources.
The operational impact of this vulnerability extends beyond simple data exposure, as it provides attackers with the capability to execute arbitrary code on the affected server. This represents a severe escalation of privileges, allowing authenticated users with subscriber-level permissions to potentially achieve remote code execution through indirect means such as log file poisoning or by leveraging other attack vectors to place malicious files in accessible locations. However, the risk is amplified for users with higher privileges, such as authors and above, who can directly upload files and immediately execute code without requiring additional exploitation steps. This vulnerability aligns with ATT&CK technique T1505.003, which covers server-side include attacks and file inclusion vulnerabilities, demonstrating how attackers can leverage such flaws to establish persistent access and execute malicious payloads.
The security implications of CVE-2023-5199 are particularly concerning given that it affects a widely used WordPress plugin and requires only minimal privileges to exploit. Attackers can leverage this vulnerability to gain unauthorized access to server resources, potentially leading to complete system compromise. The vulnerability's impact is further amplified by the fact that WordPress installations often contain sensitive information and may be running with elevated privileges, making successful exploitation particularly damaging. Organizations using this plugin should immediately assess their current deployment and implement appropriate mitigations, as the vulnerability can be exploited by attackers who have gained access to legitimate user accounts, potentially through credential compromise or social engineering attacks. The vulnerability also highlights the importance of proper input validation and the principle of least privilege in plugin development, ensuring that user-supplied data cannot be used to manipulate system behavior in ways that compromise security.