Wp2Fac 1.0 OS Command Injection via send.php Endpoint

Advisories

severity: critical
date: December 15, 2025
Affecting: Wp2Fac 1.0
CVE: CVE-2023-53872
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-51717
wp2fac GitHub Repository
Credit: Ahmet Ümit BAYRAM
Description: Wp2Fac 1.0 contains an OS command injection vulnerability in the send.php endpoint that allows remote attackers to execute arbitrary system commands. Attackers can inject shell commands through the 'numara' parameter by appending shell commands with '&' operators to execute malicious code.