WordPress Woody Code Snippets Plugin PHP Code Injection Vulnerability

A PHP code injection vulnerability has been identified in the WordPress Woody Code Snippets plugin, specifically in versions prior to 3.3.1. This vulnerability allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes through the WordPress REST API. Exploitation involves sending POST requests to the wp-json/wp/v2/posts endpoint with content that includes insert_php shortcodes, which can be used to include and execute remote PHP files on the server.

Impact

Exploitation of this vulnerability allows for arbitrary PHP code execution on the server, potentially leading to the execution of malicious payloads or backdoors.

Reproduction

To reproduce this vulnerability, send a POST request to the wp-json/wp/v2/posts endpoint. Include a crafted content payload that contains insert_php shortcodes, directing the plugin to execute PHP code from a specified URL. This can be done using tools like curl or Postman.

Remediation

Users are advised to update the Woody Code Snippets plugin to version 3.3.1 or later.