CVE-2026-4375
Unknown · DoLeads Integrator and wp2epub
The DoLeads Integrator and wp2epub WordPress plugins are susceptible to code injection, allowing unauthorized users to achieve remote code execution.
Executive summary
Critical code injection vulnerabilities in DoLeads Integrator and wp2epub plugins allow unauthorized remote code execution, threatening the integrity and availability of affected WordPress sites.
Vulnerability
These plugins are susceptible to improper control of code generation (CWE-94), which can be leveraged to achieve remote code execution (RCE). The vulnerability appears to stem from mechanisms that allow the installation of unverified extensions from wordpress.org.
Business impact
With a CVSS score of 9.0, this vulnerability poses a severe threat to the host environment. Successful exploitation allows an attacker to execute arbitrary code on the server, potentially leading to full site takeover, unauthorized data access, and the persistence of malicious scripts within the application infrastructure.
Remediation
Immediate Action: Remove or disable the DoLeads Integrator and wp2epub plugins from all WordPress installations until a verified secure version is released.
Proactive Monitoring: Monitor server logs for unusual PHP execution patterns or modifications to system files that occur without corresponding administrative actions.
Compensating Controls: Restrict access to the WordPress dashboard to known, trusted IP addresses and implement a WAF to filter malicious input payloads.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the severity of the RCE risk and the lack of specific patch information, the most prudent course of action is to uninstall these plugins. If the functionality is not business-critical, removal is the only guaranteed mitigation against this class of vulnerability.