Skip to main content

Five Star Business Profile And Schema

1 CVEs product

Monthly

CVE-2026-27436 CRITICAL Act Now

Remote code execution in the Five Star Business Profile and Schema WordPress plugin (versions up to and including 2.3.19) allows an attacker holding an Editor-level or higher account to inject and execute arbitrary PHP code on the host. Reported by Patchstack and rated CVSS 9.1 due to its scope-changing impact, the flaw turns a trusted content role into full server compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CWE-94 code-injection root cause makes reliable exploitation straightforward for any authorized high-privilege user.

Code Injection RCE Five Star Business Profile And Schema
NVD VulDB
CVSS 3.1
9.1
EPSS
0.4%
EPSS 0% CVSS 9.1
CRITICAL Act Now

Remote code execution in the Five Star Business Profile and Schema WordPress plugin (versions up to and including 2.3.19) allows an attacker holding an Editor-level or higher account to inject and execute arbitrary PHP code on the host. Reported by Patchstack and rated CVSS 9.1 due to its scope-changing impact, the flaw turns a trusted content role into full server compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CWE-94 code-injection root cause makes reliable exploitation straightforward for any authorized high-privilege user.

Code Injection RCE Five Star Business Profile And Schema
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy