Volerion logoVolerion
Volerion logoVolerion

Actively Exploited in the Wild

This vulnerability is being actively exploited in the wild.

AccessAlly WordPress Plugin Unauthenticated Arbitrary PHP Code Execution Vulnerability

Vulnerability

A vulnerability allowing unauthenticated arbitrary PHP code execution has been identified in the AccessAlly WordPress plugin, affecting versions prior to 3.3.2. The issue arises in the Login Widget, where the plugin improperly processes the login_error parameter as PHP code. This flaw enables attackers to inject and execute arbitrary PHP code within the context of the WordPress web server process, leading to remote code execution.

Impact

Exploitation of this vulnerability allows for unauthenticated users to execute arbitrary PHP code on the server, potentially leading to full control over the WordPress site.

Reproduction

The vulnerability can be reproduced by sending a request to the login widget with a crafted login_error parameter that includes PHP code. The injected PHP code will be executed on the server, allowing for arbitrary code execution.

Remediation

Users are advised to update the AccessAlly WordPress plugin to version 3.3.2 or later, where this vulnerability has been fixed.

Added: Jan 9, 2026, 5:34 PM
Updated: Jan 9, 2026, 7:22 PM

Vulnerability Rating

Custom Algorithm
spread
1.0
impact
10.0
exploitability
10.0
remediation
7.7
relevance
2.0
threat
8.0
urgency
2.9
incentive
10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.