WordPress Plugin is-human <= v1.4.2 Eval Injection RCE

The WordPress plugin is-human <= v1.4.2 contains an eval injection vulnerability in /is-human/engine.php that can be triggered via the 'type' parameter when the 'action' parameter is set to 'log-reset'. The root cause is unsafe use of eval() on user-controlled input, which can lead to execution of attacker-supplied PHP and OS commands. This may result in arbitrary code execution as the webserver user, site compromise, or data exfiltration. The is-human plugin was made defunct in June 2008 and is no longer available for download. This vulnerability was exploited in the wild in March 2012.

N/A

动态执行代码中指令转义处理不恰当(Eval注入)

WordPress plugin is-human 安全漏洞

WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin is-human v1.4.2及之前版本存在安全漏洞，该漏洞源于对文件/is-human/engine.php中参数type的不安全操作，可能导致任意代码执行。

N/A

N/A