Cyber Resilience

CVE-2024-13890

HighRCE

Published: 08 March 2025

Published
08 March 2025
Modified
12 March 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0024 46.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13890 is a high-severity Code Injection (CWE-94) vulnerability in Sksdev Allow Php Execute. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-13890 is a PHP Code Injection vulnerability (CWE-94) in the Allow PHP Execute plugin for WordPress, affecting all versions up to and including 1.0. The flaw arises because the plugin permits users with unfiltered HTML privileges to directly enter PHP code, bypassing WordPress's standard restrictions on script execution in posts and pages.

Authenticated attackers possessing Editor-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows arbitrary PHP code execution on the server, potentially leading to high-impact compromise of confidentiality, integrity, and availability, as indicated by the CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Advisories from sources like Wordfence provide threat intelligence on the vulnerability, while the plugin's source code at line 10 in allow-php-execute.php highlights the specific implementation allowing unfiltered PHP execution. No patches are referenced for versions beyond 1.0.

EU & UK References

Vulnerability details

The Allow PHP Execute plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.0. This is due to allowing PHP code to be entered by all users for whom unfiltered HTML is allowed.…

more

This makes it possible for authenticated attackers, with Editor-level access and above, to inject PHP code into posts and pages.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

The PHP code injection vulnerability in the WordPress plugin directly enables exploitation of a public-facing application for arbitrary code execution (T1190) and facilitates web shell deployment via unrestricted PHP execution in posts/pages (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-57487Shared CWE-94
CVE-2025-70995Shared CWE-94
CVE-2026-32367Shared CWE-94
CVE-2026-3352Shared CWE-94
CVE-2026-30117Shared CWE-94
CVE-2026-45708Shared CWE-94
CVE-2023-53888Shared CWE-94
CVE-2024-50660Shared CWE-94
CVE-2026-26699Shared CWE-94
CVE-2025-70073Shared CWE-94

Affected Assets

sksdev
allow php execute
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates PHP code injection by validating and sanitizing user inputs to WordPress posts and pages for completeness, correctness, and consistency.

prevent

Enforces least privilege to deny unfiltered HTML and PHP execution capabilities to Editor-level users unless operationally required.

prevent

Remediates the specific flaw in the Allow PHP Execute plugin by identifying, patching, or removing it to prevent exploitation.

References