Description
The Easy PHP Settings plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.0.4 via the `update_wp_memory_constants()` method. This is due to insufficient input validation on the `wp_memory_limit` and `wp_max_memory_limit` settings before writing them to `wp-config.php`. The `sanitize_text_field()` function used for sanitization does not filter single quotes, allowing an attacker to break out of the string context in a PHP `define()` statement. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject and execute arbitrary PHP code on the server by modifying `wp-config.php`, which is loaded on every page request.
Published: 2026-03-07
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

An insecure sanitization routine in the Easy PHP Settings plugin allows administrators to insert arbitrary PHP code via the wp_memory_limit and wp_max_memory_limit settings, since sanitize_text_field does not strip single quotes. By modifying wp-config.php, valid administrators can break out of a define statement and embed code, giving them the ability to execute code on the server with the file's permissions. This is a classic code injection flaw (CWE-94).

Affected Systems

Vulnerable versions are Easy PHP Settings 1.0.4 and earlier. The issue appears in the update_wp_memory_constants() method of the plugin, which is part of the plugin by Shahadul878 for WordPress. WordPress sites running any of those versions are at risk.

Risk and Exploitability

CVSS score 7.2 indicates moderate to high severity, and the EPSS score is below 1 percent, suggesting that public exploitation is currently unlikely. Nevertheless, because the flaw requires administrator-level authentication, users should assume that only those with admin access can exploit it directly. The vulnerability is not listed in the KEV catalog, and the risk is primarily the ability to run arbitrary code after logging in, which could lead to full server compromise. Based on the description, it is inferred that the attacker must have administrator privileges in WordPress to modify the plugin's settings. The attack vector is likely through the WordPress administrative interface, where an authenticated administrator can alter the plugin's settings to inject code.

Generated by OpenCVE AI on April 15, 2026 at 16:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Easy PHP Settings plugin to version 1.0.5 or later, as the code injection flaw is fixed in that release.
  • Restore a clean copy of wp-config.php from backup or from the plugin release to remove any injected code.
  • Change the file permissions on wp-config.php to readable only by the web server and not writable by administrators after the patch is applied.
  • Remove or disable the Easy PHP Settings plugin if an immediate update is not possible so that the vulnerable input route is unavailable.

Generated by OpenCVE AI on April 15, 2026 at 16:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Shahadul878
Shahadul878 easy Php Settings
Wordpress
Wordpress wordpress
Vendors & Products Shahadul878
Shahadul878 easy Php Settings
Wordpress
Wordpress wordpress

Sat, 07 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Easy PHP Settings plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.0.4 via the `update_wp_memory_constants()` method. This is due to insufficient input validation on the `wp_memory_limit` and `wp_max_memory_limit` settings before writing them to `wp-config.php`. The `sanitize_text_field()` function used for sanitization does not filter single quotes, allowing an attacker to break out of the string context in a PHP `define()` statement. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject and execute arbitrary PHP code on the server by modifying `wp-config.php`, which is loaded on every page request.
Title Easy PHP Settings <= 1.0.4 - Authenticated (Administrator+) PHP Code Injection via 'wp_memory_limit' Setting
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Shahadul878 Easy Php Settings
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:12.443Z

Reserved: 2026-02-27T16:44:39.061Z

Link: CVE-2026-3352

cve-icon Vulnrichment

Updated: 2026-03-09T19:07:37.577Z

cve-icon NVD

Status : Deferred

Published: 2026-03-07T02:16:13.330

Modified: 2026-04-22T21:27:27.950

Link: CVE-2026-3352

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:00:07Z

Weaknesses