CVE-2023-5199 – The PHP to Page WordPress plugin has a Local Fi... (How to Fix)

Q: What is the severity of CVE-2023-5199?

CVE-2023-5199 has a CVSS score of 9.9 (CRITICAL). The PHP to Page WordPress plugin has a Local File Inclusion vulnerability that can lead to Remote Code Execution. Authenticated attackers with subscriber-level permissions or higher can include local files and potentially execute arbitrary code on the server. This affects WordPress sites using vulnerable versions of the PHP to Page plugin.

📋 TL;DR

The PHP to Page WordPress plugin has a Local File Inclusion vulnerability that can lead to Remote Code Execution. Authenticated attackers with subscriber-level permissions or higher can include local files and potentially execute arbitrary code on the server. This affects WordPress sites using vulnerable versions of the PHP to Page plugin.

💻 Affected Systems

Products:

WordPress PHP to Page plugin

Versions: All versions up to and including 0.3

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: WordPress sites with the vulnerable plugin installed are affected regardless of OS. Attackers need at least subscriber-level access.

📦 What is this software?

Php To Page by Php To Page Project

View all CVEs affecting Php To Page →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to execute arbitrary code, steal data, install malware, or pivot to other systems.

🟠

Likely Case

Attackers with author or higher privileges achieve remote code execution by uploading malicious files, while subscribers may need to poison log files first.

🟢

If Mitigated

If proper access controls and file upload restrictions are in place, impact is limited to authenticated users only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access. Author-level users can easily achieve RCE via file uploads, while subscribers need additional steps like log poisoning.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 0.3

Vendor Advisory: https://plugins.trac.wordpress.org/browser/php-to-page/trunk/php-to-page.php?rev=441028#L22

Restart Required: No

Instructions:

1. Update PHP to Page plugin to latest version via WordPress admin panel. 2. If update not available, remove the plugin entirely. 3. Verify no vulnerable files remain.

🔧 Temporary Workarounds

Disable PHP to Page plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate php-to-page

Restrict file uploads

all

Limit file upload capabilities for lower-privileged users

🧯 If You Can't Patch

Remove the PHP to Page plugin entirely from WordPress installation
Implement strict access controls and monitor for suspicious file inclusion attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel for PHP to Page plugin version. If version is 0.3 or earlier, you are vulnerable.

Check Version:

wp plugin get php-to-page --field=version

Verify Fix Applied:

Verify plugin version is updated beyond 0.3 or plugin is completely removed.

📡 Detection & Monitoring

Log Indicators:

Unusual file inclusion patterns in PHP logs
Suspicious file uploads by authenticated users
Unexpected PHP execution from plugin directory

Network Indicators:

HTTP requests containing 'php-to-page' shortcode with file paths
Unusual outbound connections from web server

SIEM Query:

source="web_logs" AND ("php-to-page" OR "include" OR "require") AND (path traversal patterns)

📊 Metadata

CVE ID: CVE-2023-5199

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-552

Published: October 30, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-5199, you might also want to check these: