CVE-2011-10033
WordPress Plugin is-human <= v1.4.2 Eval Injection RCE
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- October 10, 2025
- Published Date
- October 15, 2025
- Last Updated
- May 15, 2026
- Vendor
- is-human WordPress Plugin
- Product
- is-human WordPress Plugin
- Description
- The WordPress pluginĀ is-human <= v1.4.2 containsĀ an eval injection vulnerability in /is-human/engine.php that can be triggered via the 'type' parameter when the 'action' parameter is set to 'log-reset'. The root cause is unsafe use of eval() on user-controlled input, which can lead to execution of attacker-supplied PHP and OS commands. This may result in arbitrary code execution as the webserver user, site compromise, or data exfiltration. The is-human plugin was made defunct in June 2008 and is no longer available for download. This vulnerability was exploited in the wild in March 2012.
CVSS Scores
CVSS v4.0
9.3 - CRITICAL
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SSVC Information
- Exploitation
- poc
- Automatable
- Yes
- Technical Impact
- total
Exploit Status
- Exploited in the Wild
- Yes (2026-06-01 10:42:14 UTC) Source
References
https://wordpress.org/plugins/is-human/
https://www.exploit-db.com/exploits/17299
https://web.archive.org/web/20120115212202/http://blog.spiderlabs.com/2012/01/honeypot-alert-is-human-wordpress-plugin-remote-command-execution-attack-detected.html
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-alert-more-wordpress-is_human-plugin-remote-command-injection-attack-detected/
https://www.vulncheck.com/advisories/wordpress-plugin-is-human-eval-injection-rce
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CVE | 2026-06-01 10:42:14 UTC |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel