2025-10-15 01:23:46
VulnCheck
PUBLISHED
The WordPress pluginĀ is-human <= v1.4.2 containsĀ an eval injection vulnerability in /is-human/engine.php that can be triggered via the type parameter when the action parameter is set to log-reset. The root cause is unsafe use of eval() on user-controlled input, which can lead to execution of attacker-supplied PHP and OS commands. This may result in arbitrary code execution as the webserver user, site compromise, or data exfiltration. The is-human plugin was made defunct in June 2008 and is no longer available for download. This vulnerability was exploited in the wild in March 2012.