Home

Description

The Easy PHP Settings plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.0.4 via the `update_wp_memory_constants()` method. This is due to insufficient input validation on the `wp_memory_limit` and `wp_max_memory_limit` settings before writing them to `wp-config.php`. The `sanitize_text_field()` function used for sanitization does not filter single quotes, allowing an attacker to break out of the string context in a PHP `define()` statement. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject and execute arbitrary PHP code on the server by modifying `wp-config.php`, which is loaded on every page request.

PUBLISHED Reserved 2026-02-27 | Published 2026-03-07 | Updated 2026-03-09 | Assigner Wordfence




HIGH: 7.2CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-94 Improper Control of Generation of Code ('Code Injection')

Product status

Default status
unaffected

* (semver)
affected

Timeline

2026-02-28:Vendor Notified
2026-03-06:Disclosed

Credits

ZAST.AI finder

References

www.wordfence.com/...-99fb-46d9-a208-f19e0a371267?source=cve

plugins.trac.wordpress.org/....4/class-easy-php-settings.php

plugins.trac.wordpress.org/...nk/class-easy-php-settings.php

plugins.trac.wordpress.org/....5/class-easy-php-settings.php

cve.org (CVE-2026-3352)

nvd.nist.gov (CVE-2026-3352)

Download JSON