CVE-2026-3352 Overview
The Easy PHP Settings plugin for WordPress contains a PHP Code Injection vulnerability in all versions up to and including 1.0.4. The vulnerability exists in the update_wp_memory_constants() method due to insufficient input validation on the wp_memory_limit and wp_max_memory_limit settings before writing them to wp-config.php. The sanitize_text_field() function used for sanitization does not filter single quotes, allowing an attacker to break out of the string context in a PHP define() statement. This enables authenticated attackers with Administrator-level access to inject and execute arbitrary PHP code on the server by modifying wp-config.php, which is loaded on every page request.
Critical Impact
Authenticated attackers with Administrator privileges can achieve persistent arbitrary PHP code execution by injecting malicious code into the WordPress configuration file, potentially leading to complete server compromise.
Affected Products
- Easy PHP Settings WordPress Plugin versions up to and including 1.0.4
- WordPress installations with the vulnerable plugin installed
Discovery Timeline
- 2026-03-07 - CVE-2026-3352 published to NVD
- 2026-03-09 - Last updated in NVD database
Technical Details for CVE-2026-3352
Vulnerability Analysis
This vulnerability is classified as CWE-94 (Improper Control of Generation of Code - Code Injection). The flaw resides in the update_wp_memory_constants() method within the Easy PHP Settings plugin. When administrators configure memory settings through the plugin interface, the user-supplied values for wp_memory_limit and wp_max_memory_limit are written directly into the wp-config.php file as part of PHP define() statements.
The plugin relies on WordPress's sanitize_text_field() function to sanitize these inputs. However, this sanitization function is designed for general text cleanup and does not escape or filter single quote characters. This oversight creates a classic injection scenario where an attacker can terminate the intended string literal and inject arbitrary PHP code.
Root Cause
The root cause is improper input validation combined with unsafe file write operations. The sanitize_text_field() function removes HTML tags, encoded entities, and extra whitespace, but preserves single quotes. When these values are interpolated into PHP define() statements within wp-config.php, the unfiltered single quotes allow attackers to escape the string context and inject executable PHP code.
Attack Vector
The attack requires network access and authenticated Administrator-level privileges to access the plugin's settings interface. An attacker would navigate to the plugin settings, enter a malicious payload containing single quotes followed by arbitrary PHP code in either the wp_memory_limit or wp_max_memory_limit field. Upon saving, the malicious code is written to wp-config.php. Since WordPress loads this configuration file on every page request, the injected code executes with every subsequent request to the site, achieving persistent code execution.
The vulnerability mechanism involves breaking out of the define() statement's string context. For example, an attacker could craft a payload that closes the string literal, adds a semicolon to end the statement, inserts malicious PHP code, and then opens a new string to absorb the remaining syntax. Detailed technical analysis is available in the Wordfence vulnerability report and the plugin source code at version 1.0.4.
Detection Methods for CVE-2026-3352
Indicators of Compromise
- Unexpected PHP code or unusual define() statements in wp-config.php
- Single quotes followed by semicolons in WP_MEMORY_LIMIT or WP_MAX_MEMORY_LIMIT values
- Web shell files or unexpected PHP files appearing in the WordPress directory structure
- Unusual outbound network connections from the web server
Detection Strategies
- Monitor wp-config.php for unauthorized modifications using file integrity monitoring tools
- Audit WordPress admin activity logs for changes to Easy PHP Settings plugin configuration
- Implement web application firewall (WAF) rules to detect PHP code injection patterns in form submissions
- Review server access logs for suspicious requests following plugin settings changes
Monitoring Recommendations
- Enable file change detection for critical WordPress files, especially wp-config.php
- Configure alerts for administrator-level plugin settings modifications
- Monitor for unusual PHP process spawning or command execution on the web server
- Implement centralized logging to correlate plugin configuration changes with subsequent suspicious activity
How to Mitigate CVE-2026-3352
Immediate Actions Required
- Update Easy PHP Settings plugin to version 1.0.5 or later immediately
- Review wp-config.php for any unauthorized modifications or injected code
- Audit administrator accounts to ensure no unauthorized access has occurred
- Consider temporarily disabling the plugin if an immediate update is not possible
Patch Information
The vulnerability has been addressed in Easy PHP Settings version 1.0.5. The patched code can be reviewed in the updated plugin source. Site administrators should update the plugin through the WordPress dashboard or by manually downloading the latest version from the WordPress plugin repository.
Workarounds
- Restrict administrator account access to only trusted personnel until the patch is applied
- Implement additional input validation at the web server or WAF level to filter single quotes in memory limit fields
- Consider removing the plugin entirely if the functionality is not critical to site operations
- Monitor wp-config.php with file integrity monitoring and restore from backup if unauthorized changes are detected
# Check wp-config.php for suspicious define() statements
grep -E "define\s*\(\s*['\"]WP_(MAX_)?MEMORY_LIMIT['\"]" wp-config.php
# Verify Easy PHP Settings plugin version
grep -i "version" wp-content/plugins/easy-php-settings/readme.txt
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
