CVE-2023-5201 in OpenHook Plugininfo

Summary

by MITRE • 10/25/2023

The OpenHook plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.3.0 via the 'php' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to execute code on the server. This requires the [php] shortcode setting to be enabled on the vulnerable site.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/10/2026

The OpenHook plugin for WordPress presents a critical remote code execution vulnerability that affects versions up to and including 4.3.0. This vulnerability specifically exploits the 'php' shortcode functionality, creating a significant security risk for WordPress installations that have this feature enabled. The flaw enables authenticated attackers who possess subscriber-level permissions or higher to execute arbitrary code on the affected server, fundamentally compromising the system's integrity and potentially leading to full system compromise.

The technical implementation of this vulnerability stems from insufficient input validation and sanitization within the plugin's shortcode processing mechanism. When the [php] shortcode is enabled, the plugin fails to properly validate or sanitize user-supplied input before executing PHP code on the server. This represents a classic command injection vulnerability where malicious code can be injected through the shortcode parameter, bypassing normal WordPress security controls. The vulnerability falls under CWE-94, which describes improper control of generation of code, specifically highlighting the dangerous execution of untrusted code. The attack vector requires minimal privileges since only subscriber-level access is needed, making this particularly concerning for WordPress sites with less restrictive user management policies.

The operational impact of this vulnerability extends far beyond simple code execution, as it provides attackers with persistent access to the server environment. Once exploited, attackers can manipulate the WordPress installation, steal sensitive data, install additional malware, or use the compromised server as a launchpad for further attacks within the network. The vulnerability's exploitation requires the specific shortcode setting to be enabled, but this configuration is often overlooked during security audits, making the risk more widespread than initially apparent. This weakness directly maps to ATT&CK technique T1059.007, which covers the use of PowerShell for execution, though in this case the execution method involves PHP code injection rather than PowerShell.

Mitigation strategies for this vulnerability require immediate action including updating to a patched version of the OpenHook plugin, which should address the shortcode validation issues. Administrators should also disable the [php] shortcode functionality if it is not essential for site operations, as this removes the attack surface entirely. Network segmentation and monitoring should be implemented to detect unusual code execution patterns that might indicate exploitation attempts. Regular security audits should include verification of plugin configurations to ensure that dangerous features like code execution shortcodes are properly secured or disabled. Additionally, implementing web application firewalls and privilege-based access controls can help reduce the potential impact of such vulnerabilities. The vulnerability highlights the importance of proper input validation and the principle of least privilege in plugin development, where features that allow code execution should be carefully restricted and validated.

Responsible

Wordfence

Reservation

09/26/2023

Disclosure

10/25/2023

Moderation

accepted

CPE

ready

EPSS

0.01429

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!