WordPress 4.6 Blind OS Command Execution
Impact: High
Description
PHPMailer before 5.2.18 allows remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code. It is possible to execute remote OS commands using the Host header in WordPress.
Recommendation
Updgrade WordPress to the latest stable version.
References
- OWASP: Command Injection
- WordPress
- CVE-2016-10033
- OWASP 2017-A9
- OWASP 2021-A6
- CWE-77
- OWASP 2017-A1
- OWASP 2021-A3
- CWE-20
👉 You might also like:
WordPress Plugin Wpfilemanager 6.8 RCE - CVE-2020-25213
Blind OS Command Execution - Vulnerability
Drupal 'Drupalgeddon2' Remote Code Execution - CVE-2018-7600
OS Command Execution - Vulnerability
Last updated on February 07, 2022