Skip to main content

RD Station EUVDEUVD-2026-37056

| CVE-2026-49774 CRITICAL
Code Injection (CWE-94)
2026-06-16 Patchstack GHSA-f9w5-9mgh-mxfm
9.9
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable WordPress endpoint, low-complexity code injection requiring any authenticated role (PR:L), no user interaction; PHP RCE escapes plugin scope to host (S:C) with full CIA impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 10:25 vuln.today

DescriptionCVE.org

Improper Control of Generation of Code ('Code Injection') vulnerability in Filipe Nasc RD Station allows Remote Code Inclusion.

This issue affects RD Station: from n/a through 5.6.0.

AnalysisAI

Remote code execution in the Filipe Nasc RD Station WordPress plugin (versions up to and including 5.6.0) allows authenticated attackers to inject and execute arbitrary PHP code through an improper code-generation control flaw. The issue carries a critical CVSS 3.1 score of 9.9 with a scope-changing impact, and no public exploit identified at time of analysis, though Patchstack has catalogued it as a Remote Code Execution vulnerability in their WordPress vulnerability database.

Technical ContextAI

The RD Station plugin (cpe:2.3:a:filipe_nasc:rd_station) integrates WordPress sites with the RD Station marketing automation platform. The root cause is CWE-94 (Improper Control of Generation of Code), meaning user-controlled input flows into a code-generation or evaluation sink - typically PHP constructs such as eval(), include/require with dynamic paths, call_user_func, or unserialize - without adequate sanitization. The Patchstack advisory characterizes this specifically as Remote Code Inclusion, suggesting that attacker-controlled input is used to construct a file path or code fragment that is then included or executed by the PHP interpreter within the WordPress runtime.

RemediationAI

Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the provided data, so administrators should upgrade the integracao-rd-station plugin to the latest release published after 5.6.0 (consult the Patchstack listing at https://patchstack.com/database/wordpress/plugin/integracao-rd-station/vulnerability/wordpress-rd-station-plugin-5-6-0-remote-code-execution-rce-vulnerability and the WordPress.org plugin page for the current patched version). Until that upgrade is applied, deactivate and remove the plugin from production WordPress sites - this disables RD Station marketing integration but eliminates the attack surface entirely. If the plugin must remain active, restrict authenticated access by disabling open user registration, enforcing strong roles (no Subscriber self-signup), and placing a WAF rule (Patchstack, Wordfence, or equivalent) in front of wp-admin and the plugin's AJAX/REST endpoints to block code-injection payloads, accepting that virtual patches are best-effort and may be bypassed.

Share

EUVD-2026-37056 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy