RD Station <= 5.6.0 - Authenticated (Contributor+) Remote Code Execution
Description
The RD Station plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.6.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=5.6.0Source Code
WordPress.org SVNPatched version not available.
# Exploitation Research Plan: CVE-2026-49774 (RD Station RCE) ## 1. Vulnerability Summary The RD Station plugin (`integracao-rd-station`) for WordPress is vulnerable to **Authenticated Remote Code Execution (RCE)** in versions up to and including 5.6.0. The vulnerability is classified as **Code Inj…
Show full research plan
Exploitation Research Plan: CVE-2026-49774 (RD Station RCE)
1. Vulnerability Summary
The RD Station plugin (integracao-rd-station) for WordPress is vulnerable to Authenticated Remote Code Execution (RCE) in versions up to and including 5.6.0. The vulnerability is classified as Code Injection (CWE-94). It occurs because the plugin allows users with Contributor-level permissions or higher to modify settings—specifically those that store script blocks or integration parameters—without adequate capability checks or input sanitization. These settings are subsequently evaluated or included in a way that executes PHP code.
2. Attack Vector Analysis
- Endpoint:
wp-admin/admin-ajax.php - AJAX Action:
rd_station_save_settings(inferred) orrd_save_tracking_codes(inferred). - Vulnerable Parameter:
rd_header_scripts(inferred) ortracking_code_content(inferred). - Authentication: Authenticated (Contributor-level or higher).
- Preconditions: The plugin must be active. The attacker must have a valid session cookie for a Contributor user.
3. Code Flow (Inferred)
- Entry Point: The plugin registers an AJAX handler for authenticated users using
add_action( 'wp_ajax_rd_save_settings', '...' ). - Capability Gap: The handler function likely uses
is_user_logged_in()or checks for a low-level capability likeedit_posts(which Contributors have), instead of the robustmanage_optionscapability required for site-wide settings. - Data Processing: The handler takes input from
$_POST['settings']or a similar parameter. It does not strip PHP tags or sanitize for executable code. - Storage: The input is saved to the database via
update_option( 'rd_station_settings', ... ). - Sink (The RCE): A separate function, hooked to
wp_headorinit, retrieves this option. If the plugin uses a method likeeval()on the stored content, or writes the content to a.phpfile in thewp-content/uploadsdirectory that is later included, RCE is achieved.
4. Nonce Acquisition Strategy
The RD Station plugin typically localizes security tokens for its admin interface. To obtain a valid nonce as a Contributor:
- Identify the Script Handle: Look for where the plugin enqueues its admin scripts (e.g., using
wp_enqueue_scriptin anadmin_enqueue_scriptshook). - Find the Localized Variable: The plugin likely uses
wp_localize_script()to pass a nonce to the frontend. - Extraction Steps:
- Log in as the Contributor user.
- Navigate to the WordPress Dashboard (
/wp-admin/index.php). - Use
browser_evalto search for the nonce in the globalwindowobject. - Inferred Variable:
window.RDStationSettings?.nonceorwindow.rd_token?.save_nonce.
// Example extraction logic for the agent
const nonce = browser_eval("window.rd_station_admin_data?.nonce || window.rd_station_data?.nonce");
5. Exploitation Strategy
The goal is to update the plugin settings with a PHP payload that will be executed by the server.
- Authentication: Obtain session cookies for a Contributor user.
- Request Construction:
- Method:
POST - URL:
https://<target>/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body Parameters:
action:rd_station_save_settings(inferred)_wpnonce:[EXTRACTED_NONCE]rd_scripts_payload:<?php system('id'); die(); ?>(The exact parameter name must be verified via the plugin'sadmin/directory source).
- Method:
- Triggering: Navigate to the site's homepage or any public page. If the code is injected into a "Header Scripts" setting, the payload will execute when
wp_head()is called.
6. Test Data Setup
- User Creation:
wp user create attacker attacker@example.com --role=contributor --user_pass=password123 - Plugin Setup: Ensure
integracao-rd-stationversion 5.6.0 is installed and activated. - Page Creation: (If a specific shortcode is needed to trigger script loading):
wp post create --post_type=page --post_status=publish --post_content='[rd_station_form id="123"]' --post_title='RD Trigger'
7. Expected Results
- Success Indicator: The HTTP response from the trigger page should contain the output of the
idcommand (e.g.,uid=33(www-data) gid=33(www-data) groups=33(www-data)). - HTTP Status: The AJAX save request should return a
200 OKor a JSON success message{"success":true}.
8. Verification Steps
- Database Check: Verify if the malicious payload was stored in the options table:
wp option get rd_station_settings - Log Check: If the payload used
error_log(), check the WordPress debug log:tail -n 20 wp-content/debug.log
9. Alternative Approaches
- Direct Option Manipulation: If the AJAX handler is not the entry point, check for
admin_inithooks that process$_POSTdata without nonce or capability checks. - REST API: Check if the plugin registers any routes via
register_rest_route. If thepermission_callbackreturnstrueor only checks foredit_posts, the exploit can be ported to a REST API request:POST /wp-json/rdstation/v1/settings
- Shortcode Injection: If the RCE is via a shortcode attribute being passed to
eval(), attempt to use a Contributor's ability to create posts to execute the shortcode:[rd_shortcode param="; system('id');"](if the plugin improperly handles attributes).
Summary
The RD Station plugin for WordPress (up to and including version 5.6.0) is vulnerable to Remote Code Execution via Code Injection. This vulnerability allows authenticated users with Contributor-level access or higher to save arbitrary PHP code into plugin settings, which is subsequently executed by the server.
Exploit Outline
To exploit this vulnerability, an authenticated user with Contributor-level permissions must obtain a valid security nonce, typically extracted from localized scripts in the WordPress admin dashboard. The attacker then sends a POST request to the WordPress AJAX endpoint (wp-admin/admin-ajax.php) targeting a settings-saving action (such as rd_station_save_settings). The payload includes malicious PHP code within configuration parameters (e.g., rd_header_scripts or tracking_code_content). Once stored in the database, the injected code is triggered and executed when a user visits a site page that renders the plugin's header scripts or tracking components.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.