What the vulnerability does
01Description
AccessAlly WordPress plugin versions prior to 3.3.2 contain an unauthenticated arbitrary PHP code execution vulnerability in the Login Widget. The plugin processes the login_error parameter as PHP code, allowing an attacker to supply and execute arbitrary PHP in the context of the WordPress web server process, resulting in remote code execution.
Explanation of Vulnerability in Simple Terms
02Summary
AccessAlly versions before 3.3.2 contain a code injection vulnerability that allows unauthenticated attackers to execute arbitrary code on affected sites. The vulnerability exists in how the product processes user input without proper validation or sanitization. An attacker can exploit this remotely without requiring authentication or user interaction.
What an attacker can do
03Attacker Capabilities
Run their own code on the site to steal data, modify content, or take control of the installation.
Potential impact on your site
04Site Impact
Complete compromise of the site and any data it stores; attacker can modify or delete content and user accounts.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
January 9, 2026
CVE published
March 5, 2026
Record updated