CVE-2026-49774

RD Station <= 5.6.0 - Authenticated (Contributor+) Remote Code Execution

highImproper Control of Generation of Code ('Code Injection')
8.8
CVSS Score
8.8
CVSS Score
high
Severity
5.7.0
Patched in
7d
Time to patch

Description

The RD Station plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.6.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=5.6.0
PublishedJune 4, 2026
Last updatedJune 10, 2026
Affected pluginintegracao-rd-station

Source Code

WordPress.org SVN
Patched

Patched version not available.

Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-49774 (RD Station RCE) ## 1. Vulnerability Summary The RD Station plugin (`integracao-rd-station`) for WordPress is vulnerable to **Authenticated Remote Code Execution (RCE)** in versions up to and including 5.6.0. The vulnerability is classified as **Code Inj…

Show full research plan

Exploitation Research Plan: CVE-2026-49774 (RD Station RCE)

1. Vulnerability Summary

The RD Station plugin (integracao-rd-station) for WordPress is vulnerable to Authenticated Remote Code Execution (RCE) in versions up to and including 5.6.0. The vulnerability is classified as Code Injection (CWE-94). It occurs because the plugin allows users with Contributor-level permissions or higher to modify settings—specifically those that store script blocks or integration parameters—without adequate capability checks or input sanitization. These settings are subsequently evaluated or included in a way that executes PHP code.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php
  • AJAX Action: rd_station_save_settings (inferred) or rd_save_tracking_codes (inferred).
  • Vulnerable Parameter: rd_header_scripts (inferred) or tracking_code_content (inferred).
  • Authentication: Authenticated (Contributor-level or higher).
  • Preconditions: The plugin must be active. The attacker must have a valid session cookie for a Contributor user.

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers an AJAX handler for authenticated users using add_action( 'wp_ajax_rd_save_settings', '...' ).
  2. Capability Gap: The handler function likely uses is_user_logged_in() or checks for a low-level capability like edit_posts (which Contributors have), instead of the robust manage_options capability required for site-wide settings.
  3. Data Processing: The handler takes input from $_POST['settings'] or a similar parameter. It does not strip PHP tags or sanitize for executable code.
  4. Storage: The input is saved to the database via update_option( 'rd_station_settings', ... ).
  5. Sink (The RCE): A separate function, hooked to wp_head or init, retrieves this option. If the plugin uses a method like eval() on the stored content, or writes the content to a .php file in the wp-content/uploads directory that is later included, RCE is achieved.

4. Nonce Acquisition Strategy

The RD Station plugin typically localizes security tokens for its admin interface. To obtain a valid nonce as a Contributor:

  1. Identify the Script Handle: Look for where the plugin enqueues its admin scripts (e.g., using wp_enqueue_script in an admin_enqueue_scripts hook).
  2. Find the Localized Variable: The plugin likely uses wp_localize_script() to pass a nonce to the frontend.
  3. Extraction Steps:
    • Log in as the Contributor user.
    • Navigate to the WordPress Dashboard (/wp-admin/index.php).
    • Use browser_eval to search for the nonce in the global window object.
    • Inferred Variable: window.RDStationSettings?.nonce or window.rd_token?.save_nonce.
// Example extraction logic for the agent
const nonce = browser_eval("window.rd_station_admin_data?.nonce || window.rd_station_data?.nonce");

5. Exploitation Strategy

The goal is to update the plugin settings with a PHP payload that will be executed by the server.

  1. Authentication: Obtain session cookies for a Contributor user.
  2. Request Construction:
    • Method: POST
    • URL: https://<target>/wp-admin/admin-ajax.php
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body Parameters:
      • action: rd_station_save_settings (inferred)
      • _wpnonce: [EXTRACTED_NONCE]
      • rd_scripts_payload: <?php system('id'); die(); ?> (The exact parameter name must be verified via the plugin's admin/ directory source).
  3. Triggering: Navigate to the site's homepage or any public page. If the code is injected into a "Header Scripts" setting, the payload will execute when wp_head() is called.

6. Test Data Setup

  1. User Creation:
    wp user create attacker attacker@example.com --role=contributor --user_pass=password123
    
  2. Plugin Setup: Ensure integracao-rd-station version 5.6.0 is installed and activated.
  3. Page Creation: (If a specific shortcode is needed to trigger script loading):
    wp post create --post_type=page --post_status=publish --post_content='[rd_station_form id="123"]' --post_title='RD Trigger'
    

7. Expected Results

  • Success Indicator: The HTTP response from the trigger page should contain the output of the id command (e.g., uid=33(www-data) gid=33(www-data) groups=33(www-data)).
  • HTTP Status: The AJAX save request should return a 200 OK or a JSON success message {"success":true}.

8. Verification Steps

  1. Database Check: Verify if the malicious payload was stored in the options table:
    wp option get rd_station_settings
    
  2. Log Check: If the payload used error_log(), check the WordPress debug log:
    tail -n 20 wp-content/debug.log
    

9. Alternative Approaches

  • Direct Option Manipulation: If the AJAX handler is not the entry point, check for admin_init hooks that process $_POST data without nonce or capability checks.
  • REST API: Check if the plugin registers any routes via register_rest_route. If the permission_callback returns true or only checks for edit_posts, the exploit can be ported to a REST API request:
    • POST /wp-json/rdstation/v1/settings
  • Shortcode Injection: If the RCE is via a shortcode attribute being passed to eval(), attempt to use a Contributor's ability to create posts to execute the shortcode:
    • [rd_shortcode param="; system('id');"] (if the plugin improperly handles attributes).
Research Findings
Static analysis — not yet PoC-verified

Summary

The RD Station plugin for WordPress (up to and including version 5.6.0) is vulnerable to Remote Code Execution via Code Injection. This vulnerability allows authenticated users with Contributor-level access or higher to save arbitrary PHP code into plugin settings, which is subsequently executed by the server.

Exploit Outline

To exploit this vulnerability, an authenticated user with Contributor-level permissions must obtain a valid security nonce, typically extracted from localized scripts in the WordPress admin dashboard. The attacker then sends a POST request to the WordPress AJAX endpoint (wp-admin/admin-ajax.php) targeting a settings-saving action (such as rd_station_save_settings). The payload includes malicious PHP code within configuration parameters (e.g., rd_header_scripts or tracking_code_content). Once stored in the database, the injected code is triggered and executed when a user visits a site page that renders the plugin's header scripts or tracking components.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.