CVE-2024-3105 Overview
CVE-2024-3105 is a remote code execution vulnerability in the Woody code snippets – Insert Header Footer Code, AdSense Ads plugin for WordPress. The flaw affects all plugin versions up to and including 2.5.0. The vulnerability resides in the insert_php shortcode, which fails to restrict execution to high-privilege users. Authenticated attackers with contributor-level access or above can execute arbitrary PHP code on the underlying server. The issue is classified under CWE-94 (Improper Control of Generation of Code).
Critical Impact
Contributor-level WordPress users can execute arbitrary PHP code on the host, leading to full site compromise, lateral movement, and data theft.
Affected Products
- Woody code snippets – Insert Header Footer Code, AdSense Ads plugin for WordPress
- All versions up to and including 2.5.0
- WordPress sites permitting contributor-or-above registrations
Discovery Timeline
- 2024-06-15 - CVE-2024-3105 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-3105
Vulnerability Analysis
The Woody code snippets plugin exposes an insert_php shortcode that evaluates PHP code embedded inside post or page content. WordPress shortcodes are processed when content is rendered, meaning any user who can author content containing the shortcode triggers PHP evaluation. The plugin omits capability checks such as manage_options or unfiltered_html before invoking the PHP interpreter on shortcode contents. Contributor accounts, which exist on many WordPress sites with open registration or editorial workflows, gain a direct path to remote code execution.
Root Cause
The root cause is a missing authorization check on shortcode execution. The shortcode handler defined in shortcode-insert-php.php processes the shortcode body without verifying the current user's role. The plugin treats shortcode authorship as an administrative action, while WordPress permits contributors to use shortcodes in draft content. This mismatch between intended and enforced privilege creates the code injection condition [CWE-94].
Attack Vector
The attack requires an authenticated account with contributor capabilities. The attacker creates or edits a post containing an [insert_php] shortcode wrapping arbitrary PHP. When the post is previewed or rendered, the plugin evaluates the PHP payload in the WordPress process context. The attacker gains code execution under the web server user, enabling file system access, database queries through wpdb, credential theft, and persistence via webshells or backdoored plugin files. See the Wordfence Vulnerability Report for additional technical context.
No verified public proof-of-concept code is included in this advisory. Refer to the WordPress Plugin Class File and the WordPress Changeset Log for the vendor remediation diff.
Detection Methods for CVE-2024-3105
Indicators of Compromise
- Post or page revisions in wp_posts containing the [insert_php] shortcode authored by non-administrator users
- Unexpected PHP files written under wp-content/uploads/ or plugin directories after post previews
- Outbound network connections from the PHP-FPM or Apache process to attacker-controlled infrastructure
- New WordPress administrator accounts created shortly after contributor post activity
Detection Strategies
- Query the WordPress database for any post content matching the insert_php or insert_PHP_code shortcode patterns and review the author capability level
- Audit web server access logs for POST requests to /wp-admin/post.php and /wp-admin/admin-ajax.php followed by anomalous child process execution
- Monitor for PHP processes spawning shell utilities such as sh, bash, wget, or curl, which is atypical for normal WordPress workloads
Monitoring Recommendations
- Enable WordPress activity logging to capture post creation, plugin changes, and user role modifications
- File integrity monitoring on the wp-content/plugins/insert-php/ directory and core WordPress files
- Alert on EPSS-elevated CVEs across internet-facing CMS assets; this CVE sits in the 98th percentile of exploitation likelihood
How to Mitigate CVE-2024-3105
Immediate Actions Required
- Update the Woody code snippets plugin to a version later than 2.5.0 that restricts insert_php to high-privilege users
- Audit all WordPress accounts and remove unused contributor, author, and editor accounts
- Search existing post content for the [insert_php] shortcode and review any matches authored by non-administrators
- Rotate WordPress administrator passwords and API keys if compromise is suspected
Patch Information
The vendor addressed the issue in a release tracked under WordPress.org changeset 3102522. Review the WordPress Changeset Log for the exact code modifications that restrict shortcode execution to authorized roles.
Workarounds
- Deactivate and remove the Woody code snippets plugin until the patched version is deployed
- Disable user registration or restrict new accounts to the subscriber role, which lacks post-authoring privileges
- Place the WordPress administration interface behind IP allowlisting or a web application firewall (WAF) rule blocking [insert_php] in POST bodies
- Set DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS in wp-config.php to limit post-compromise persistence
# wp-config.php hardening
define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true);
# Audit posts for the vulnerable shortcode via WP-CLI
wp db query "SELECT ID, post_author, post_status FROM wp_posts \
WHERE post_content LIKE '%[insert_php%' OR post_content LIKE '%[php%';"
# Remove the plugin if a patched version is unavailable
wp plugin deactivate insert-php
wp plugin delete insert-php
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
