Critical RCE Found in Easy PHP Settings//Published on 2026-03-08//CVE-2026-3352

WP-FIREWALL SECURITY TEAM

Easy PHP Settings Vulnerability

Plugin Name Easy PHP Settings
Type of Vulnerability Remote Code Execution
CVE Number CVE-2026-3352
Urgency Low
CVE Publish Date 2026-03-08
Source URL CVE-2026-3352

Remote Code Execution in Easy PHP Settings (≤1.0.4): What WordPress Site Owners Must Do Now

Author: WP‑Firewall Security Team

Date: 2026-03-10

Categories: WordPress Security, Vulnerabilities, WAF Guidance

Summary: A PHP code‑injection vulnerability affecting the Easy PHP Settings plugin (versions ≤ 1.0.4) allows an authenticated administrator to inject PHP via the plugin’s wp_memory_limit setting. Although exploitation requires admin privileges, the impact is full Remote Code Execution (RCE). This post explains technical details, risk assessment, detection strategies, immediate mitigation steps you can take with WP‑Firewall, and a practical incident response checklist.

Table of contents

  • Background and risk overview
  • Technical details (how the vulnerability works)
  • Exploitability and real‑world scenarios
  • Immediate mitigation checklist (what to do in the next 1–24 hours)
  • Hardening & recommended configuration changes
  • WAF/virtual patching guidance (rules and signatures you can apply)
  • Detection: what logs and indicators to look for
  • Incident response and remediation playbook
  • Long‑term best practices for plugin risk reduction
  • WP‑Firewall offer and how we can help (includes free plan details and sign up link)
  • Appendix: example ModSecurity / WAF rules and WordPress hardening snippets

Background and risk overview

On 7 March 2026 a report was published describing a serious vulnerability in the Easy PHP Settings WordPress plugin (all releases up to and including 1.0.4). The vulnerability permits an authenticated administrator to inject raw PHP code via the plugin’s wp_memory_limit setting. When that value is processed by the plugin (or by WordPress in certain contexts), an attacker can achieve Remote Code Execution (RCE). The issue has been assigned CVE‑2026‑3352 and has a published CVSS base score near 7.2.

Why you should care:

  • RCE is one of the most dangerous outcomes of a vulnerability: it can lead to backdoors, data theft, site defacement, or pivoting to other systems on the same infrastructure.
  • Although an attacker needs an administrator account to weaponize this issue, admin compromises are not rare — phishing, credential reuse, and vulnerable third‑party tools are common vectors.
  • If your site runs the affected plugin, action is necessary even when you think your environment is low risk.

This post is written from the perspective of WP‑Firewall, a WordPress firewall and security provider. We’ll walk you through the technical mechanics, practical mitigations you can apply immediately (including WAF virtual patching), detection strategies, and an incident response checklist that your team can follow.

Technical details: how the vulnerability works

At a high level, the plugin exposes a settings field intended to control the WordPress memory limit (commonly stored as wp_memory_limit). Instead of strictly validating and sanitizing the input to that setting, the plugin allows characters that can be interpreted as PHP code when later used in an eval‑style context, or when the setting is passed to a function that does not safely cast/escape it.

Key points (technical summary)

  • Vulnerable component: Easy PHP Settings plugin UI that writes to the wp_memory_limit setting.
  • Input vector: The administrator settings form where the memory limit is accepted.
  • Root cause: Improper sanitization and unsafe handling of the stored setting; the plugin treats user‑supplied input as a blob that could be executed or concatenated into code later.
  • Result: An attacker with admin privileges can store payloads (for example payloads containing PHP code, encoded payloads, or strings that trigger eval paths) into the setting. When the plugin or other parts of the site process that setting, arbitrary PHP can execute.
  • Impact: Full RCE on the PHP process (subject to the privileges of the web server user).

Variants and likely exploit code

Attackers often try to inject small PHP constructs that allow further expansion, such as:

  • <?php system($_GET['cmd']); ?>
  • <?php assert($_POST['p']); ?>
  • <?php @eval(base64_decode($_SERVER['HTTP_X']);?>

Because many hosting environments have standard PHP functions enabled, these constructs can persist as backdoors that accept remote commands or payloads.

Note on exploitation path: The exploit requires an admin user to input or post the malicious payload into the plugin settings. The plugin’s code path then needs to process that value in a way that results in execution (direct eval, include, or passing to a function that evals). In many real cases, plugin developers accidentally call functions like eval(), include with dynamic paths, or dynamically build PHP code strings that are executed later. This vulnerability falls into that category.

Exploitability and real‑world attack scenarios

Let’s be realistic: attackers typically prefer low‑effort, high reward attacks. Because the vulnerability requires an administrator account to set the wp_memory_limit setting, exploitation can follow two typical paths:

  1. Credential compromise:

    • An attacker obtains a valid admin credential (phishing, password reuse from breached service, brute force, weak password).
    • They log in, navigate to plugin settings, inject malicious content into wp_memory_limit, and trigger execution.
    • Result: RCE and persistent backdoor or immediate data exfiltration.
  2. Malicious insider or compromised admin plugin:

    • A third‑party service, contractor or compromised admin account intentionally or unintentionally creates the payload.
    • Because the attack originates from a legitimate admin session, logs may look benign.

Why admins are still at risk

  • Admin accounts are sometimes shared across teams or created with weak MFA.
  • Attackers increasingly target the “human” element: phishing, social engineering, and credential stuffing remain top methods.
  • Many security teams assume that admin‑required vulnerabilities are safe — they’re not. Admin credentials leak, and once stolen the attacker has a high impact vector.

Assessing likelihood:

  • If your admin accounts are hardened (unique passwords, MFA, IP restrictions), the likelihood drops. But the impact remains very high if exploited.

Immediate mitigation checklist (first 24 hours)

If you run Easy PHP Settings and have a version ≤ 1.0.4, follow these steps immediately. The sequence assumes you may or may not be already compromised.

  1. Update plugin (primary fix)

    • As soon as the vendor releases a patched version, update to that version (1.0.5 or later, per vendor advisory). Updating removes the vulnerable code path. If an official release exists, update via the WordPress admin dashboard or WP‑CLI.
  2. If you cannot update immediately — apply temporary mitigations:

    • Disable the plugin: Deactivate the plugin via the WordPress admin or WP‑CLI:
      wp plugin deactivate easy-php-settings
    • If deactivation isn’t possible from the dashboard, rename the plugin folder via SFTP/SSH:
      mv wp-content/plugins/easy-php-settings wp-content/plugins/easy-php-settings.disabled
  3. Restrict access to admin screens:

    • Restrict access to wp-admin and /wp-admin/admin.php endpoints by IP (server firewall / .htaccess) to your trusted IPs.
    • Enforce 2FA and strong passwords for all admin users.
  4. Apply an emergency WAF rule (virtual patch)

    • If you use WP‑Firewall, enable the prebuilt ruleset for “Easy PHP Settings wp_memory_limit RCE” (or create a custom rule to block payload patterns).
    • Block requests that submit suspicious values for the wp_memory_limit parameter — e.g., requests that contain PHP opening tags, base64 strings with suspicious functions, or typical RCE keywords.
  5. Search for indicators of compromise (IoCs)

    • Scan uploads and core directories for newly created PHP files, web shells, or modified core and theme files.
    • Check for suspicious scheduled tasks, new admin users, or unexpected plugin/theme changes.
  6. Rotate admin credentials

    • Immediately reset passwords for all WordPress admin accounts and rotate any API/hosting credentials that may have been exposed.
    • Force logout all sessions: Use “Sessions” in Users or run SQL to clear sessions.
  7. Backup

    • Take a fresh backup of the site filesystem and database for forensic purposes before any remediation or changes that might destroy evidence.

Hardening and recommended configuration changes (post‑patch)

Once the site is patched or the plugin removed, harden your WordPress installation to reduce future risk:

  • Enforce MFA for all administrators (TOTP or FIDO2).
  • Restrict who can install/activate plugins. For multi‑admin environments, use role customization so only a small number of trusted accounts have plugin installation/setting privileges.
  • Disable theme and plugin file editing in the dashboard:
    define('DISALLOW_FILE_EDIT', true);
    define('DISALLOW_FILE_MODS', true); // if you want to prevent updates from dashboard for extra safety
  • Harden PHP and filesystem:
    • Disable dangerous PHP functions (if allowed by hosting): disable_functions = exec,passthru,shell_exec,system,proc_open,popen,eval
    • Apply strict file permissions: files 640/644, directories 750/755, wp-config.php 600/640
  • Secure wp-config.php:
    • Move it one directory up (if host permits)
    • Add salts and strong DB credentials.
  • Limit REST API/admin-ajax access to authenticated or whitelisted callers as appropriate.
  • Regularly audit plugins and themes — remove unused ones.

WAF/virtual patching guidance (how to stop exploitation without touching plugin code)

A Web Application Firewall is a high‑value mitigation when a vulnerability is public and a patch is not yet available, or you cannot quickly update. Virtual patching blocks the exploit traffic before it reaches vulnerable code.

High‑level rule ideas you can implement in WP‑Firewall:

  1. Block suspicious characters in the wp_memory_limit setting

    • Block requests containing PHP opening tags in POST/GET for admin endpoints:
      • Detect patterns like "<?php", "<?= ", "eval(", "base64_decode(", "system(", "exec(", "shell_exec("
  2. Block large or unusual base64 payloads

    • Many web shells use base64 encoded payloads. If you detect base64 strings in settings fields, block or alert.
  3. Restrict who can submit the settings endpoint

    • Only allow the plugin settings page to be accessible from trusted IP ranges or via authenticated, strong sessions.
    • If your site is small and admins use static IPs, allowlist those IPs.
  4. Contextual blocking of requests to admin-post.php/admin.php

    • If a POST to the plugin’s settings endpoint arrives with suspicious payload content, block the request and create an alert.

Example (regex pseudocode) — implement as WAF rule:

  • Block POST requests to admin.php where POST payload contains: (?i)(<\?php|\beval\(|\bbase64_decode\(|\bsystem\(|\bexec\(|\bshell_exec\(|\bpassthru\()
  • Block if wp_memory_limit parameter contains non‑legal values (only allow simplified patterns like \d+[KM]?)
  • If your hosting environment allows, create an allowlist for the wp_memory_limit values to only permit numeric + unit (e.g., 256M, 512M).

Important: Test WAF rules on staging before applying in production; adjust the rules to minimize false positives (e.g., some legitimate admin actions may include safe uses of parentheses).

WP‑Firewall specific recommendations

  • Turn on the WAF advanced rule set (we ship curated rules for known plugin risks).
  • Enable virtual patching / urgent rule deployment feature that applies temporary rules to block the exploit vector while you patch.
  • Turn on real‑time scanning and file integrity monitoring — this helps detect created web shells quickly.
  • Configure email and webhook alerts for blocked attempts targeting admin pages or fields matching wp_memory_limit.

Detection: what logs and indicators to look for

Successful or attempted exploitation leaves traces. Here’s where to look and what to look for:

  1. Web server and WAF logs

    • POST requests to /wp-admin/admin.php or plugin settings URL with payloads that include "<?php", "base64_", "eval", "system", etc.
    • Suspicious user agents or repeated POSTs from the same IP.
  2. WordPress activity logs

    • Settings updates on the plugin page (who changed them and from which IP).
    • New admin user creation, role changes, or unexpected plugin/theme activation.
  3. File system changes

    • New PHP files in uploads, wp-content, wp-includes, or any directories not typically holding PHP code.
    • Modified timestamps on core files, themes, and plugins.
  4. Unusual processes or outbound connections

    • The web server generating outbound connections to suspicious IPs or domains (exfiltration or callback).
    • Cron jobs or scheduled tasks that were not present before.
  5. Database anomalies

    • Unexpected options in the wp_options table (look for wp_memory_limit entries with odd content).
    • Unexpected serialized payloads in options or usermeta.
  6. Security scanner results

    • Regular malware scans may detect web shells or injected code patterns.

If you suspect compromise, preserve logs and make a full forensic snapshot before cleaning. This helps provide evidence and reduces the risk of removing traces prematurely.

Incident response and remediation playbook (step‑by‑step)

If you’ve detected exploitation or believe you may be compromised, follow this playbook:

  1. Isolate

    • Take the site offline to a maintenance page OR put it into staging if you need to preserve live operations.
    • Put the server behind an IP ACL or firewall to stop attacker traffic.
  2. Snapshot

    • Make full filesystem and DB snapshots for analysis.
  3. Contain

    • Deactivate the vulnerable plugin immediately.
    • Rotate all admin passwords, hosting control panel passwords, API tokens, and database credentials.
    • Revoke any active sessions.
  4. Eradicate

    • Remove backdoors and web shells. Use a trusted scanning tool and manual inspection.
    • Reinstall WordPress core, themes, and plugins from trusted sources (do not copy back infected files).
    • Replace any compromised files with clean versions.
  5. Recover

    • Reconfigure site settings, reapply hardening, and restore from a clean backup if available.
    • Monitor closely for reappearance of indicators.
  6. Post‑incident actions

    • Conduct a root cause analysis and document steps taken.
    • Communicate with stakeholders and, if required, with customers (transparency is important).
    • Apply lessons learned: tighten configuration, reduce admin accounts, enforce 2FA.
  7. Consider professional help

    • If the compromise is severe (data stolen, persistence mechanisms present, or you can’t fully remove backdoors), engage a professional incident response team.

Long‑term best practices for plugin risk reduction

  1. Minimize plugin footprint

    • Only install plugins you need. Remove plugins that are inactive or redundant.
  2. Vet plugins before installation

    • Check last update date, number of installs, active developer contact channels, and changelogs.
    • Prefer plugins with clear security practices and a history of quick patching.
  3. Use a staging environment

    • Test updates and security rules in staging before applying to production.
  4. Keep a changelog of admin users and permissions

    • Regularly audit admin accounts and remove inactive ones.
  5. Regular backups and automated testing

    • Maintain frequent backups and test restores on a schedule.
  6. Attack surface reduction

    • Disable unused services (XML‑RPC if not needed), limit file upload types, and enforce strict file permissions.
  7. Continuous monitoring

    • Keep WAF + malware scanning enabled and automated. Early detection reduces blast radius.

WP‑Firewall — how we can help (free plan and immediate assistance)

Protect your site today — start with WP‑Firewall Basic (Free)

If you want immediate protection while you patch or investigate, WP‑Firewall can help. Our Basic (Free) plan gives you essential protections designed to stop attack patterns like the one above:

  • Basic (Free)
    • Managed firewall with prebuilt rules
    • Unlimited bandwidth for WAF
    • Malware scanner
    • Mitigation for OWASP Top 10 risks
  • Standard ($50/year)
    • All Basic features, plus automatic malware removal and the ability to blacklist/whitelist up to 20 IPs.
  • Pro ($299/year)
    • All Standard features, plus monthly security reports, auto vulnerability virtual patching, and premium add‑ons such as a dedicated account manager and managed security services.

Sign up for WP‑Firewall Basic (Free) and enable the WAF rule sets that detect and block attempts to inject PHP via admin fields. Start here: https://my.wp-firewall.com/buy/wp-firewall-free-plan/

Why WP‑Firewall helps now

  • We can deploy virtual patching rules quickly to block the attack vector while you update the plugin.
  • Our malware scanner and file integrity monitoring help detect web shells and persistence.
  • Free plan users get immediate defensive coverage with zero cost — useful while you perform incident response.

Appendix: example WAF rules and WordPress hardening snippets

Note: These are example patterns meant to illustrate the kinds of rules you should create. Always test in staging.

Example ModSecurity (conceptual) rule to block PHP tags in POST payloads to admin endpoints:

SecRule REQUEST_URI "@rx /wp-admin/.*(admin.php|options-general.php)" "phase:2,chain,deny,log,msg:'Block PHP injection in admin settings'"
  SecRule ARGS_VALUES "@rx (<\?php|<\?=|eval\(|base64_decode\(|system\(|shell_exec\(|passthru\()" "t:none,t:urlDecode,t:lowercase"

Example WP‑Firewall rule logic (pseudocode)

  • If request.path contains '/wp-admin/' and request.POST.wp_memory_limit matches /(<\?php|\beval\(|base64_decode\(|system\(|exec\(|shell_exec\()/
  • Then block and alert admin.

WordPress hardening snippet (wp-config.php)

// prevent in-dashboard file editing
define('DISALLOW_FILE_EDIT', true);

// consider enabling auto updates for minor patches if supported
define('AUTOMATIC_UPDATER_DISABLED', false);

// Force secure cookies and SSL if site uses HTTPS
define('FORCE_SSL_ADMIN', true);
define('FORCE_SSL_LOGIN', true);

Database cleanup example (inspect wp_options)

SELECT option_name, option_value FROM wp_options WHERE option_name LIKE '%memory%';
-- Look for unexpected values in wp_memory_limit or other settings. If suspicious, investigate the update history and audit logs.

Final notes and closing advice

This vulnerability is a strong reminder of the compound nature of risk: even admin‑only bugs can lead to catastrophic outcomes when admin credentials are compromised. Defense-in-depth is essential: apply patches quickly, enforce MFA and least privilege, use a WAF to provide virtual patching, and maintain strong monitoring and incident response processes.

If you run the Easy PHP Settings plugin on any WordPress site on your infrastructure, treat this as high priority: update to a patched plugin version as soon as it’s available. If you can’t update immediately, deactivate the plugin and apply WAF rules to block suspicious admin input.

If you’d like help implementing WAF rules, running a cleanup scan, or performing an incident response, WP‑Firewall’s team can assist. For immediate protection you can enroll in our Basic (Free) plan and enable managed firewall and malware scanning right away: https://my.wp-firewall.com/buy/wp-firewall-free-plan/

Stay safe, stay updated — and don’t assume an admin‑only bug is harmless.

wordpress security update banner

Receive WP Security Weekly for Free 👋
Signup Now!!

Sign up to receive WordPress Security Update in your inbox, every week.

We don’t spam! Read our privacy policy for more info.

Contact us to schedule a complimentary WordPress Security consultation

Contact Us

WP-Firewall
6/F, The Rays, 71 Hung To Road, Kwun Tong, Kowloon, Hong Kong

Features Pricing Blog Login
Privacy Policy Terms of Service Docs Affiliate

© 2026 WP-Firewall™