Introduction
A single unauthenticated HTTP POST request is all it takes to achieve full remote code execution on a WordPress site running the Insert PHP plugin alongside WordPress 4.7.0 or 4.7.1. CVE-2017-20251 chains a WordPress core REST API privilege escalation with the plugin's shortcode execution functionality to create a critical attack path that has had a public exploit available since February 2017, nearly a decade before the formal CVE was assigned.
The WordPress Insert PHP plugin (now succeeded by Woody Code Snippets, maintained by Themeisle) allows site administrators to embed and execute PHP code directly within WordPress posts and pages using shortcodes. The plugin was originally published in November 2012 and has been used across hundreds of thousands of WordPress installations. Its functionality sits at a particularly sensitive intersection of user content and server side code execution, making it a high value target when access controls fail.
Technical Information
Vulnerability Classification
CVE-2017-20251 is classified under CWE-94 (Improper Control of Generation of Code). The NVD published the record on June 9, 2026, with VulnCheck as the source CNA. The CVSS v3 score is 9.8 and the CVSS v4.0 Base Score is 9.3 (Critical) with the vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Every metric sits at the most severe position: network exploitable, low complexity, no privileges required, no user interaction needed, and high impact across confidentiality, integrity, and availability.
Root Cause: A Two Stage Attack Chain
This vulnerability is not a single flaw but a composition of two distinct weaknesses that, when combined, produce unauthenticated remote code execution.
Stage 1: REST API Privilege Escalation (WordPress Core)
WordPress versions 4.7.0 and 4.7.1 contained a privilege escalation vulnerability in the REST API that allowed unauthenticated users to modify post content. The wp-json/wp/v2/posts endpoint, which normally requires editor or administrator privileges to modify content, failed to enforce access controls properly. This meant any external actor could send a POST request to update the content of any existing post without providing authentication cookies, nonces, or API keys.
Stage 2: Malicious Shortcode Execution (Insert PHP Plugin)
The Insert PHP plugin registers two shortcodes: [insert_php] and [php]. These shortcodes are designed to embed and execute arbitrary PHP code within post content. When WordPress renders a post containing these shortcodes, the plugin evaluates the embedded PHP code server side. This is the plugin's intended functionality for administrators, but it becomes catastrophic when an unauthenticated attacker can write arbitrary content into posts.
Attack Flow
The exploitation sequence works as follows:
- The attacker identifies a WordPress site running a vulnerable version of both WordPress core (4.7.0 or 4.7.1) and the Insert PHP plugin (versions before 3.3.1).
- The attacker sends a POST request to
/wp-json/wp/v2/posts/{id}with a JSON body containing malicious shortcode content. The request includes no authentication headers. - Due to the REST API privilege escalation flaw, WordPress accepts the unauthenticated request and saves the attacker's content to the database, overwriting the existing post.
- The injected content contains
[insert_php]or[php]shortcodes wrapping malicious PHP code, such as aninclude()call pointing to a remote attacker controlled PHP file. - When the modified post is rendered (either by a legitimate visitor browsing the site or by the attacker requesting the post URL directly), WordPress processes the shortcodes through
do_shortcode(). - The Insert PHP plugin executes the embedded PHP code on the server, granting the attacker arbitrary code execution.
The critical insight is that neither component alone produces the full severity. The REST API flaw allows content modification but not code execution. The Insert PHP shortcode allows code execution but normally only for authenticated administrators. Their combination eliminates all barriers to remote code execution.
Shortcode Injection as a Systemic WordPress Risk
Research from the Pritect Network identifies shortcode injection as a broader systemic attack vector in the WordPress ecosystem. The core problem arises when developers pass unsanitized user input into the do_shortcode() function. Stock WordPress without third party plugins is generally safe, but plugins that register powerful shortcodes create significant risk surfaces.
The following table summarizes the attack methods and their authentication requirements:
| Attack Method | Description | Authentication Required |
|---|---|---|
| Direct Shortcode Injection | Passing unsanitized text to do_shortcode() | Low privilege user (Contributor+) |
| REST API Exploitation (CVE-2017-20251) | Injecting shortcodes via wp-json/wp/v2/posts | None (unauthenticated) |
| Privilege Escalation via Shortcode | Using shortcodes to modify user roles or execute SQL | Low privilege user |
The REST API exploitation path used in CVE-2017-20251 is the most dangerous variant because it eliminates the need for any authenticated session whatsoever. Even a user with the Contributor role can create posts and use the Preview function, which executes any shortcodes embedded in the post content, but the REST API path removes even that minimal barrier.
The "Unsupported When Assigned" Designation
The NVD has assigned an "Unsupported When Assigned" status to this CVE, indicating that the original Insert PHP software branch is no longer maintained by its developer. The NVD guidance states that "users are strongly advised to transition away from any unsupported branches." This designation means that organizations running the original Insert PHP plugin are on a code base that will never receive another security patch, regardless of what future vulnerabilities may be discovered.
Affected Systems and Versions
The following configurations are vulnerable:
- WordPress Insert PHP plugin: All versions prior to 3.3.1
- WordPress core: Versions 4.7.0 and 4.7.1 (required for the unauthenticated REST API exploitation path)
- The combination of both components is required for the full unauthenticated RCE chain
Sites running the Insert PHP plugin version 3.3.1 or later are not vulnerable to this specific shortcode injection via the REST API. Sites running WordPress 4.7.2 or later have the REST API privilege escalation patched, which breaks Stage 1 of the attack chain even if the plugin remains unpatched. However, the plugin's shortcode functionality still presents risk to authenticated users with content editing privileges on unpatched plugin versions.
The Insert PHP plugin has been superseded by Woody Code Snippets (available at the same WordPress plugin repository slug), which is actively maintained by Themeisle.
Vendor Security History
Themeisle, the current maintainer of the plugin (now branded as Woody Code Snippets), is a Romanian WordPress company founded in 2013 by Ionut Neagu, based in Bucharest. The company reports being trusted by 471,039 users and maintains a portfolio of themes (Neve, Hestia, Neve FSE) and plugins (Feedzy RSS Feeds, Masteriyo LMS, Otter Blocks).
The Insert PHP / Woody Code Snippets plugin family has accumulated multiple documented security vulnerabilities:
| Vulnerability | Affected Version | Severity |
|---|---|---|
| PHP Code Injection via REST API (CVE-2017-20251) | < 3.3.1 | Critical (CVSS 9.8) |
| PHP Code Injection via Shortcode | 3.3.1 | Critical |
| Authenticated (Admin+) Stored XSS | <= 1.3.4 | Medium |
A Reddit discussion titled "Themeisle's Great History on Plugin Security Notifications" indicates community awareness of the company's approach to security communications. The recurrence of code injection vulnerabilities across different versions suggests a systemic design challenge inherent in plugins whose core functionality is evaluating user supplied PHP code.
Mitigation Strategies
Immediate Actions
The VulnCheck advisory states that the fix is to upgrade the plugin to version 3.3.1 or later. However, given the NVD "Unsupported When Assigned" designation, upgrading to 3.3.1 places organizations on an unmaintained code base. The recommended long term remediation is to migrate to Woody Code Snippets, the actively maintained successor plugin available on the WordPress plugin repository.
WordPress core must also be updated to version 4.7.2 or later to address the REST API privilege escalation that enables the unauthenticated exploitation path. Applying either fix alone only breaks one stage of the two stage attack chain; both are necessary for complete remediation.
Hardening Measures
| Measure | Description |
|---|---|
| Migrate to Woody Code Snippets | Actively maintained successor plugin with ongoing security updates |
| Update WordPress Core to 4.7.2+ | Addresses the REST API privilege escalation enabling unauthenticated post modification |
| Sanitize input before do_shortcode() | Prevents shortcode injection through unsanitized user input |
| Add authorization checks on dangerous shortcodes | Ensures only privileged users can invoke code execution shortcodes |
| Disable allow_url_include in PHP | Prevents remote file inclusion via include() calls in injected payloads |
A Note on the CVE Timeline Gap
The nearly decade long gap between the public exploit (February 2017) and the formal CVE assignment (June 2026) is worth highlighting for vulnerability management teams. During this entire period, security teams relying on CVE based vulnerability tracking had no formal identifier for a vulnerability with publicly available exploit code. This underscores the importance of monitoring exploit databases and security advisories beyond formal CVE channels.
Threat Intelligence
A fully functional proof of concept exploit has been publicly available on Exploit DB (EDB 41308) since February 9, 2017, credited to researcher CrashBandicot with attribution to the Sucuri security team (@sucurisecurity). The exploit requires only a single HTTP POST request with no authentication, making it trivially weaponizable by both sophisticated threat actors and automated scanning tools.
As of the NVD publication date, CVE-2017-20251 is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. However, the absence from KEV should not be interpreted as evidence of no exploitation. Several factors indicate significant exploitation risk:
- Public exploit code available since February 2017: The proof of concept has been accessible for years prior to the formal CVE assignment, providing ample time for integration into attack toolkits.
- Zero authentication requirement: This makes the vulnerability highly attractive for automated mass scanning campaigns targeting WordPress sites at scale.
- WordPress ecosystem targeting: WordPress plugins are consistently among the most targeted attack surfaces, with threat actors routinely scanning for vulnerable plugin installations using version enumeration tools.
- Related REST API exploitation history: The WordPress 4.7.0/4.7.1 REST API vulnerability was widely exploited in early 2017 for content defacement campaigns. The Insert PHP plugin exploit represents a more severe escalation path from the same API flaw.
Specific threat actor attribution for CVE-2017-20251 is not publicly documented. No sources identified particular APT groups, ransomware operators, or botnet campaigns specifically leveraging this vulnerability.
References
- NVD: CVE-2017-20251
- VulnCheck Advisory: WordPress Insert PHP Plugin PHP Code Injection via REST API
- Exploit DB: WordPress Plugin Insert PHP 3.3.1 PHP Code Injection (EDB 41308)
- WordPress Plugin Repository: Woody Code Snippets (Insert PHP successor)
- WordPress Plugin Repository (FR): Insert PHP / Woody Code Snippets
- Pritect Network: WordPress Shortcode Injection as an Attack Vector
- SecPod: WordPress REST API Endpoint Zero Day Content Injection
- Wordfence: Insert PHP Code Snippet <= 1.3.4 Authenticated Stored XSS
- Themeisle WordPress Profile
- CISA Known Exploited Vulnerabilities Catalog



