WordPress Plugin is-human <= v1.4.2 Eval Injection RCE

Advisories

WordPress Plugin is-human <= v1.4.2 Eval Injection RCE

severity: critical
date: 10/14/2025
Affecting: is-human <= v1.4.2
CVE: CVE-2011-10033
CWE: CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-17299
Archived SpiderLabs Exploitation Evidence
SpiderLabs Continued Activity Exploitation Evidence
is-human WordPress Plugin
Credit: neworder
Description: The WordPress plugin is-human <= v1.4.2 contains an eval injection vulnerability in /is-human/engine.php that can be triggered via the 'type' parameter when the 'action' parameter is set to 'log-reset'. The root cause is unsafe use of eval() on user-controlled input, which can lead to execution of attacker-supplied PHP and OS commands. This may result in arbitrary code execution as the webserver user, site compromise, or data exfiltration. The is-human plugin was made defunct in June 2008 and is no longer available for download. This vulnerability was exploited in the wild in March 2012.
VulnCheck KEV: This advisory is in the VulnCheck KEV database

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo