The Easy PHP Settings plugin for WordPress, maintained by shahadul878, contains a critical code injection vulnerability identified as CVE-2026-3352. This vulnerability exists in all versions up to and including 1.0.4 within the update_wp_memory_constants() method. The plugin attempts to update PHP memory limit constants by writing user-configured values (wp_memory_limit and wp_max_memory_limit) directly into the wp-config.php file. However, the sanitization function used, sanitize_text_field(), does not remove or escape single quote characters. This oversight allows an authenticated user with Administrator privileges to inject malicious PHP code by crafting input that breaks out of the string context in the define() statements inside wp-config.php. Since wp-config.php is loaded on every page request, the injected code executes with the same privileges as the web server’s PHP process, enabling full remote code execution. The vulnerability requires high privileges (Administrator) but no additional user interaction, making it a severe risk for compromised admin accounts. No patches or official fixes have been published yet, and no known exploits are reported in the wild. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code) and has a CVSS v3.1 base score of 7.2, indicating high severity with network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability.

This vulnerability allows attackers with administrator access to execute arbitrary PHP code on the server by injecting code into wp-config.php, which is critical for WordPress configuration and loaded on every request. The impact includes full site compromise, data theft, defacement, installation of backdoors or malware, and potential pivoting to other systems within the hosting environment. Since WordPress powers a significant portion of the web, any site using the Easy PHP Settings plugin is at risk. The requirement for administrator access limits exploitation to insiders or attackers who have already compromised admin credentials. However, once exploited, the attacker gains full control over the WordPress installation and potentially the underlying server, severely impacting confidentiality, integrity, and availability of the affected systems.

1. Immediately restrict administrator access to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication to reduce risk of credential compromise. 2. Disable or uninstall the Easy PHP Settings plugin until a security patch is released. 3. Monitor wp-config.php and other critical files for unauthorized changes using file integrity monitoring tools. 4. Implement web application firewalls (WAF) with custom rules to detect and block suspicious requests targeting plugin settings. 5. Regularly audit administrator accounts and revoke unnecessary privileges. 6. Backup wp-config.php and the entire WordPress site frequently to enable rapid recovery. 7. Once a patch or updated plugin version is available, apply it promptly. 8. Consider running WordPress in a hardened environment with least privilege file permissions to limit damage from code injection. 9. Educate administrators about the risks of installing untrusted plugins and the importance of timely updates.