The plugin doesn’t sanitize and validate the “Visibility logic” option for WordPress menu items, which could allow highly privileged users to execute arbitrary PHP code even in a hardened environment.
1. As an admin, go to “Appearance -> Menus” and create a menu with some items of your choice. 2. In the “Menu structure” click on any item (the arrow down on the right of ‘Page’) and locate “Visibility logic” field. 3. Add the following code in the field: file_put_contents(‘/var/www/hacked.php’, ‘’) 4. After saving changes and navigating to the menu’s location, the visibility logic triggers executing our payload.
CPE | Name | Operator | Version |
---|---|---|---|
menu-items-visibility-control | eq | * |