CVE-2011-10033
published 2025-10-15CVE-2011-10033: The WordPress plugin is-human <= v1.4.2 contains an eval injection vulnerability in /is-human/engine.php that can be triggered via the 'type' parameter when…
PriorityP278critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.44%
34.9th percentile
The WordPress plugin is-human <= v1.4.2 contains an eval injection vulnerability in /is-human/engine.php that can be triggered via the 'type' parameter when the 'action' parameter is set to 'log-reset'. The root cause is unsafe use of eval() on user-controlled input, which can lead to execution of attacker-supplied PHP and OS commands. This may result in arbitrary code execution as the webserver user, site compromise, or data exfiltration. The is-human plugin was made defunct in June 2008 and is no longer available for download. This vulnerability was exploited in the wild in March 2012.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | phpmailer_3rd_party_library | — | — |
| is-human_wordpress_plugin | is-human_wordpress_plugin | <= 1.4.2 | — |
CVSS provenance
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xmcg-3p5m-pg58: The WordPress plugin is-human <= v1
ghsa_unreviewed·2025-10-15
CVE-2011-10033 [CRITICAL] CWE-95 GHSA-xmcg-3p5m-pg58: The WordPress plugin is-human <= v1
The WordPress plugin is-human <= v1.4.2 contains an eval injection vulnerability in /is-human/engine.php that can be triggered via the 'type' parameter when the 'action' parameter is set to 'log-reset'. The root cause is unsafe use of eval() on user-controlled input, which can lead to execution of attacker-supplied PHP and OS commands. This may result in arbitrary code execution as the webserver user, site compromise, or data exfiltration. The is-human plugin was made defunct in June 2008 and is no longer available for download. This vulnerability was exploited in the wild in March 2012.
VulnCheck
disable_wordpress_update_notifications_and_auto-update_email_notifications_project is-human__plugin Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
vulncheck·2011·CVSS 9.3
CVE-2011-10033 [CRITICAL] disable_wordpress_update_notifications_and_auto-update_email_notifications_project is-human__plugin Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
disable_wordpress_update_notifications_and_auto-update_email_notifications_project is-human__plugin Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
The WordPress plugin is-human <= v1.4.2 contains an eval injection vulnerability in /is-human/engine.php that can be triggered via the 'type' parameter when the 'action' parameter is set to 'log-reset'. The root cause is unsafe use of eval() on user-controlled input, which can lead to execution of attacker-supplied PHP and OS commands. This may result in arbitrary code execution as the webserver user, site compromise, or data exfiltration. The is-human plugin was made defunct in June 2008 and is no longer available for download. This vulnerability was exploited in the wild in March 2012.
Affected: berlet
Drupal
PHPmailer 3rd party library - PSA-2016-004
vendor_drupal·2016-12-26·CVSS 9.8
CVE-2016-10033 [CRITICAL] PHPmailer 3rd party library - PSA-2016-004
Title: PHPmailer 3rd party library - PSA-2016-004
Vulnerability Type: PHPmailer 3rd party library
Description: Advisory ID: DRUPAL-SA-PSA-2016-004 Project: PHPMailer (third-party library) Version: 7.x, 8.x Date: 2016-December-26 Security risk: 23/25 ( Highly Critical ) AC:None/A:User/CI:All/II:All/E:Exploit/TD:All Vulnerability: Arbitrary PHP code execution Description The PHPMailer and SMTP modules (and maybe others) add support for sending e-mails using the 3rd party PHPMailer library. In general the Drupal project does not create advisories for 3rd party libraries. Drupal site maintainers should pay attention to the notifications provided by those 3rd party libraries as outlined in PSA-2011-002 - External libraries and plugins . However, given the extreme criticality of this issue and
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://web.archive.org/web/20120115212202/http://blog.spiderlabs.com/2012/01/honeypot-alert-is-human-wordpress-plugin-remote-command-execution-attack-detected.htmlhttps://wordpress.org/plugins/is-human/https://www.exploit-db.com/exploits/17299https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-alert-more-wordpress-is_human-plugin-remote-command-injection-attack-detected/https://www.vulncheck.com/advisories/wordpress-plugin-is-human-eval-injection-rce
2025-10-15
Published
Exploited in the wild