A critical code injection vulnerability in the WordPress Insert PHP plugin allows unauthenticated attackers to achieve remote code execution, posing a severe risk to site integrity.

This is a PHP code injection vulnerability where unauthenticated attackers can inject malicious shortcodes via the wp-json/wp/v2/posts REST API endpoint. The vulnerability facilitates the inclusion and execution of arbitrary remote PHP files on the underlying server.

With a CVSS score of 9.8, this vulnerability represents a critical threat to business operations. Successful exploitation grants an attacker full control over the web server, leading to potential data exfiltration, total site compromise, and the deployment of persistent backdoors within the hosting environment.

Immediate Action: Update the WordPress Insert PHP plugin to version 3.3.1 or higher immediately to apply the vendor-supplied patch.

Proactive Monitoring: Audit WordPress access logs for suspicious POST requests targeting the wp-json/wp/v2/posts endpoint and monitor server file integrity for unexpected PHP file creation.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block suspicious REST API payloads and inspect incoming shortcode parameters for malicious PHP syntax.

Public Exploit Available: True

Given the critical CVSS severity and the availability of public exploits, this vulnerability poses an immediate danger to WordPress environments. Administrators should audit their plugin inventory and apply the 3.3.1 update without delay to mitigate the risk of full system compromise.