CVE-2011-10033
CVE-2011-10033 is a critical-severity vulnerability with a CVSS 4.0 base score of 9.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-95.
Key facts
- Severity: Critical (CVSS 4.0 base score 9.3)
- EPSS exploit prediction: 0% (35th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2011-5263
- Weakness: CWE-95
- Published:
- Last modified:
Description
The WordPress plugin is-human <= v1.4.2 contains an eval injection vulnerability in /is-human/engine.php that can be triggered via the 'type' parameter when the 'action' parameter is set to 'log-reset'. The root cause is unsafe use of eval() on user-controlled input, which can lead to execution of attacker-supplied PHP and OS commands. This may result in arbitrary code execution as the webserver user, site compromise, or data exfiltration. The is-human plugin was made defunct in June 2008 and is no longer available for download. This vulnerability was exploited in the wild in March 2012.
Frequently asked questions
- What is CVE-2011-10033?
- The WordPress plugin is-human <= v1.4.2 contains an eval injection vulnerability in /is-human/engine.php that can be triggered via the 'type' parameter when the 'action' parameter is set to 'log-reset'. The root cause is unsafe use of eval() on user-controlled input, which can lead to execution of attacker-supplied PHP and OS commands. This may result in arbitrary code execution as the webserver user, site compromise, or data exfiltration. The is-human plugin was made defunct in June 2008 and is no longer available for download. This vulnerability was exploited in the wild in March 2012.
- How severe is CVE-2011-10033?
- CVE-2011-10033 has a CVSS 4.0 base score of 9.3, rated critical severity.
- Is CVE-2011-10033 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (35th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2011-10033?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- Does CVE-2011-10033 have an EU (EUVD) identifier?
- Yes. CVE-2011-10033 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2011-5263.
- When was CVE-2011-10033 published?
- CVE-2011-10033 was published on 2025-10-15 and last updated on 2026-06-16.
References
- https://web.archive.org/web/20120115212202/http://blog.spiderlabs.com/2012/01/honeypot-alert-is-human-wordpress-plugin-remote-command-execution-attack-detected.html
- https://wordpress.org/plugins/is-human/
- https://www.exploit-db.com/exploits/17299
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-alert-more-wordpress-is_human-plugin-remote-command-injection-attack-detected/
- https://www.vulncheck.com/advisories/wordpress-plugin-is-human-eval-injection-rce
Other CWE-95 (Eval Injection) vulnerabilities
- CVE-2026-44643 — Critical (CVSS 10.0): Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to 1.5.2, an…
- CVE-2025-68271 — Critical (CVSS 10.0): OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems.…
- CVE-2013-10070 — Critical (CVSS 10.0): PHP-Charts v1.0 contains a PHP code execution vulnerability in wizard/url.php, where user-supplied GET parameter names…
- CVE-2022-36010 — Critical (CVSS 10.0): This library allows strings to be parsed as functions and stored as a specialized component,…
- CVE-2026-1470 — Critical (CVSS 9.9): n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow Expression evaluation system.…
- CVE-2023-29511 — Critical (CVSS 9.9): XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with…