Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable WordPress endpoint, low-complexity code injection requiring any authenticated role (PR:L), no user interaction; PHP RCE escapes plugin scope to host (S:C) with full CIA impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper Control of Generation of Code ('Code Injection') vulnerability in Filipe Nasc RD Station allows Remote Code Inclusion.
This issue affects RD Station: from n/a through 5.6.0.
AnalysisAI
Remote code execution in the Filipe Nasc RD Station WordPress plugin (versions up to and including 5.6.0) allows authenticated attackers to inject and execute arbitrary PHP code through an improper code-generation control flaw. The issue carries a critical CVSS 3.1 score of 9.9 with a scope-changing impact, and no public exploit identified at time of analysis, though Patchstack has catalogued it as a Remote Code Execution vulnerability in their WordPress vulnerability database.
Technical ContextAI
The RD Station plugin (cpe:2.3:a:filipe_nasc:rd_station) integrates WordPress sites with the RD Station marketing automation platform. The root cause is CWE-94 (Improper Control of Generation of Code), meaning user-controlled input flows into a code-generation or evaluation sink - typically PHP constructs such as eval(), include/require with dynamic paths, call_user_func, or unserialize - without adequate sanitization. The Patchstack advisory characterizes this specifically as Remote Code Inclusion, suggesting that attacker-controlled input is used to construct a file path or code fragment that is then included or executed by the PHP interpreter within the WordPress runtime.
RemediationAI
Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the provided data, so administrators should upgrade the integracao-rd-station plugin to the latest release published after 5.6.0 (consult the Patchstack listing at https://patchstack.com/database/wordpress/plugin/integracao-rd-station/vulnerability/wordpress-rd-station-plugin-5-6-0-remote-code-execution-rce-vulnerability and the WordPress.org plugin page for the current patched version). Until that upgrade is applied, deactivate and remove the plugin from production WordPress sites - this disables RD Station marketing integration but eliminates the attack surface entirely. If the plugin must remain active, restrict authenticated access by disabling open user registration, enforcing strong roles (no Subscriber self-signup), and placing a WAF rule (Patchstack, Wordfence, or equivalent) in front of wp-admin and the plugin's AJAX/REST endpoints to block code-injection payloads, accepting that virtual patches are best-effort and may be bypassed.
More in Rd Station
View allMultiple Cross-Site Request Forgery (CSRF) vulnerabilities in RD Station plugin <= 5.2.0 at WordPress. Rated high severi
The RD Station plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37056
GHSA-f9w5-9mgh-mxfm