{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3352", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-27T16:44:39.061Z", "datePublished": "2026-03-07T01:21:24.875Z", "dateUpdated": "2026-04-08T17:34:12.443Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:12.443Z"}, "affected": [{"vendor": "shahadul878", "product": "Easy PHP Settings", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Easy PHP Settings plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.0.4 via the `update_wp_memory_constants()` method. This is due to insufficient input validation on the `wp_memory_limit` and `wp_max_memory_limit` settings before writing them to `wp-config.php`. The `sanitize_text_field()` function used for sanitization does not filter single quotes, allowing an attacker to break out of the string context in a PHP `define()` statement. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject and execute arbitrary PHP code on the server by modifying `wp-config.php`, which is loaded on every page request."}], "title": "Easy PHP Settings <= 1.0.4 - Authenticated (Administrator+) PHP Code Injection via 'wp_memory_limit' Setting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f9927487-99fb-46d9-a208-f19e0a371267?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-php-settings/tags/1.0.4/class-easy-php-settings.php#L1800"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-php-settings/trunk/class-easy-php-settings.php#L1800"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-php-settings/tags/1.0.5/class-easy-php-settings.php#L1998"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "ZAST.AI"}], "timeline": [{"time": "2026-02-28T14:00:34.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-06T11:26:38.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T19:07:36.352128Z", "id": "CVE-2026-3352", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T19:33:09.786Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3352", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T19:07:36.352128Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T19:07:37.577Z"}}], "cna": {"title": "Easy PHP Settings <= 1.0.4 - Authenticated (Administrator+) PHP Code Injection via 'wp_memory_limit' Setting", "credits": [{"lang": "en", "type": "finder", "value": "ZAST.AI"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "shahadul878", "product": "Easy PHP Settings", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-28T14:00:34.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-06T11:26:38.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f9927487-99fb-46d9-a208-f19e0a371267?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-php-settings/tags/1.0.4/class-easy-php-settings.php#L1800"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-php-settings/trunk/class-easy-php-settings.php#L1800"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-php-settings/tags/1.0.5/class-easy-php-settings.php#L1998"}], "descriptions": [{"lang": "en", "value": "The Easy PHP Settings plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.0.4 via the `update_wp_memory_constants()` method. This is due to insufficient input validation on the `wp_memory_limit` and `wp_max_memory_limit` settings before writing them to `wp-config.php`. The `sanitize_text_field()` function used for sanitization does not filter single quotes, allowing an attacker to break out of the string context in a PHP `define()` statement. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject and execute arbitrary PHP code on the server by modifying `wp-config.php`, which is loaded on every page request."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:12.443Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3352", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:34:12.443Z", "dateReserved": "2026-02-27T16:44:39.061Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-07T01:21:24.875Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Easy PHP Settings plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.0.4 via the `update_wp_memory_constants()` method. This is due to insufficient input validation on the `wp_memory_limit` and `wp_max_memory_limit` settings before writing them to `wp-config.php`. The `sanitize_text_field()` function used for sanitization does not filter single quotes, allowing an attacker to break out of the string context in a PHP `define()` statement. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject and execute arbitrary PHP code on the server by modifying `wp-config.php`, which is loaded on every page request."}, {"lang": "es", "value": "El plugin Easy PHP Settings para WordPress es vulnerable a la inyecci\u00f3n de c\u00f3digo PHP en todas las versiones hasta la 1.0.4, inclusive, a trav\u00e9s del m\u00e9todo 'update_wp_memory_constants()'. Esto se debe a una validaci\u00f3n de entrada insuficiente en las configuraciones 'wp_memory_limit' y 'wp_max_memory_limit' antes de escribirlas en 'wp-config.php'. La funci\u00f3n 'sanitize_text_field()' utilizada para la sanitizaci\u00f3n no filtra las comillas simples, lo que permite a un atacante salir del contexto de la cadena en una declaraci\u00f3n PHP 'define()'. Esto hace posible que atacantes autenticados, con acceso de nivel de Administrador y superior, inyecten y ejecuten c\u00f3digo PHP arbitrario en el servidor modificando 'wp-config.php', que se carga en cada solicitud de p\u00e1gina."}], "id": "CVE-2026-3352", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-07T02:16:13.330", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/easy-php-settings/tags/1.0.4/class-easy-php-settings.php#L1800"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/easy-php-settings/tags/1.0.5/class-easy-php-settings.php#L1998"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/easy-php-settings/trunk/class-easy-php-settings.php#L1800"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f9927487-99fb-46d9-a208-f19e0a371267?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Easy PHP Settings", "source": "cna", "vendor": "shahadul878"}, "product": "easy_php_settings", "vendor": "shahadul878"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T16:44:52.724699+00:00", "value": {"mitigation_remediation": ["Update the Easy PHP Settings plugin to version 1.0.5 or later, as the code injection flaw is fixed in that release.", "Restore a clean copy of wp-config.php from backup or from the plugin release to remove any injected code.", "Change the file permissions on wp-config.php to readable only by the web server and not writable by administrators after the patch is applied.", "Remove or disable the Easy PHP Settings plugin if an immediate update is not possible so that the vulnerable input route is unavailable."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Vulnerable versions are Easy PHP Settings 1.0.4 and earlier. The issue appears in the update_wp_memory_constants() method of the plugin, which is part of the plugin by Shahadul878 for WordPress. WordPress sites running any of those versions are at risk.", "description_and_impact": "An insecure sanitization routine in the Easy PHP Settings plugin allows administrators to insert arbitrary PHP code via the wp_memory_limit and wp_max_memory_limit settings, since sanitize_text_field does not strip single quotes. By modifying wp-config.php, valid administrators can break out of a define statement and embed code, giving them the ability to execute code on the server with the file's permissions. This is a classic code injection flaw (CWE-94).", "risk_and_exploitability": "CVSS score 7.2 indicates moderate to high severity, and the EPSS score is below 1 percent, suggesting that public exploitation is currently unlikely. Nevertheless, because the flaw requires administrator-level authentication, users should assume that only those with admin access can exploit it directly. The vulnerability is not listed in the KEV catalog, and the risk is primarily the ability to run arbitrary code after logging in, which could lead to full server compromise. Based on the description, it is inferred that the attacker must have administrator privileges in WordPress to modify the plugin's settings. The attack vector is likely through the WordPress administrative interface, where an authenticated administrator can alter the plugin's settings to inject code."}}}}, "created": "2026-03-09T10:06:00.733783+00:00", "updated": "2026-04-15T17:00:07.031544+00:00", "vendors": ["shahadul878", "shahadul878$PRODUCT$easy_php_settings", "wordpress", "wordpress$PRODUCT$wordpress"]}