CVE-2026-3352
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Tags
Description
The Easy PHP Settings plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.0.4 via the `update_wp_memory_constants()` method. This is due to insufficient input validation on the `wp_memory_limit` and `wp_max_memory_limit` settings before writing them to `wp-config.php`. The `sanitize_text_field()` function used for sanitization does not filter single quotes, allowing an attacker to break out of the string context in a PHP `define()` statement. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject and execute arbitrary PHP code on the server by modifying `wp-config.php`, which is loaded on every page request.
Analysis
Arbitrary PHP code execution in the Easy PHP Settings WordPress plugin through versions 1.0.4 allows authenticated administrators to inject malicious code via inadequately sanitized memory limit configuration parameters that bypass quote filtering in wp-config.php. An attacker with administrator privileges can exploit insufficient input validation in the `update_wp_memory_constants()` method to break out of PHP string context and execute arbitrary commands that execute on every page request. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit all WordPress installations to identify Easy PHP Settings plugin usage and document affected systems. Within 7 days: Disable or remove the Easy PHP Settings plugin from all production environments; if removal is not feasible, implement network-level access controls to restrict plugin functionality. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today