CVE-2024-13890

HighRCE

Published: 08 March 2025

Published

08 March 2025

Modified

12 March 2025

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0024 46.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13890 is a high-severity Code Injection (CWE-94) vulnerability in Sksdev Allow Php Execute. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates PHP code injection by validating and sanitizing user inputs to WordPress posts and pages for completeness, correctness, and consistency.

AC-6 Least Privilege good match

prevent

Enforces least privilege to deny unfiltered HTML and PHP execution capabilities to Editor-level users unless operationally required.

SI-2 Flaw Remediation good match

prevent

Remediates the specific flaw in the Allow PHP Execute plugin by identifying, patching, or removing it to prevent exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

The PHP code injection vulnerability in the WordPress plugin directly enables exploitation of a public-facing application for arbitrary code execution (T1190) and facilitates web shell deployment via unrestricted PHP execution in posts/pages (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The Allow PHP Execute plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.0. This is due to allowing PHP code to be entered by all users for whom unfiltered HTML is allowed.…

This makes it possible for authenticated attackers, with Editor-level access and above, to inject PHP code into posts and pages.

Deeper analysisAI

CVE-2024-13890 is a PHP Code Injection vulnerability (CWE-94) in the Allow PHP Execute plugin for WordPress, affecting all versions up to and including 1.0. The flaw arises because the plugin permits users with unfiltered HTML privileges to directly enter PHP code, bypassing WordPress's standard restrictions on script execution in posts and pages.

Authenticated attackers possessing Editor-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows arbitrary PHP code execution on the server, potentially leading to high-impact compromise of confidentiality, integrity, and availability, as indicated by the CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Advisories from sources like Wordfence provide threat intelligence on the vulnerability, while the plugin's source code at line 10 in allow-php-execute.php highlights the specific implementation allowing unfiltered PHP execution. No patches are referenced for versions beyond 1.0.