CVE-2026-3352
Published: 07 March 2026
Summary
CVE-2026-3352 is a high-severity Code Injection (CWE-94) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin enables direct exploitation for RCE; code injection into wp-config.php (loaded on every request) deploys persistent web shell functionality.
NVD Description
The Easy PHP Settings plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.0.4 via the `update_wp_memory_constants()` method. This is due to insufficient input validation on the `wp_memory_limit` and `wp_max_memory_limit` settings before writing…
more
them to `wp-config.php`. The `sanitize_text_field()` function used for sanitization does not filter single quotes, allowing an attacker to break out of the string context in a PHP `define()` statement. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject and execute arbitrary PHP code on the server by modifying `wp-config.php`, which is loaded on every page request.
Deeper analysisAI
CVE-2026-3352 is a PHP code injection vulnerability in the Easy PHP Settings plugin for WordPress, affecting all versions up to and including 1.0.4. The flaw exists in the `update_wp_memory_constants()` method, which performs insufficient input validation on the `wp_memory_limit` and `wp_max_memory_limit` settings before writing them to `wp-config.php`. Specifically, the `sanitize_text_field()` function fails to filter single quotes, enabling attackers to escape the string context within a PHP `define()` statement.
Authenticated attackers with Administrator-level access or higher can exploit this vulnerability over the network with low complexity. By submitting malicious values for the affected settings, they can inject arbitrary PHP code into `wp-config.php`, which is loaded on every page request, resulting in remote code execution. This grants high-impact confidentiality, integrity, and availability effects, as reflected in the CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and mapping to CWE-94.
References include source code from vulnerable version 1.0.4, patched version 1.0.5, and the current trunk, along with a Wordfence threat intelligence advisory. Mitigation involves updating the Easy PHP Settings plugin to version 1.0.5 or later, where the input handling appears to have been addressed.
Details
- CWE(s)