- PHPUnit is a programmer-oriented testing framework for PHP. PHPUnit 4.x versions before 4.8.28 and 5.x versions before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a substring. This vulnerability is exploitable only if the /vendor folder is publicly accessible.
- Upgrade to the latest version of PHPUnit. This issue was fixed in PHPUnit versions 4.8.28 and 5.6.3.
- Drupal Core 4.7.x Arbitrary Code Execution (4.7.0 - 4.7.5)
- WordPress Plugin Subscribe Form Remote Command Execution (1.1)
- Moveable Type 4.x unauthenticated remote command execution
- Drupal Core 5.x Arbitrary Code Execution (5.0 - 5.2)
- WordPress Plugin WP Live Chat Support Remote Code Execution (7.0.01)