CVE-2026-49774 CRITICAL

CVE-2026-49774: WordPress RD Station plugin <= 5.6.0 - Remote Code Execution (RCE) vulnerability

Vendor Filipe Nasc
Product RD Station
Weakness CWE-94 · Code injection
Published June 16, 2026
Last update June 16, 2026

CVSS base score

9.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Filipe Nasc RD Station allows Remote Code Inclusion. This issue affects RD Station: from n/a through 5.6.0.

Explanation of Vulnerability in Simple Terms

02Summary

RD Station versions up to 5.6.0 contain a code injection vulnerability that allows authenticated users with low privileges to run arbitrary code on the site. The vulnerability affects the entire system due to scope change, meaning an attacker can read sensitive data, modify site content, or disrupt service. A patch version has not been publicly identified.

What an attacker can do

03Attacker Capabilities

Run arbitrary code on the site, read sensitive data, modify content, or disrupt service.

Potential impact on your site

04Site Impact

Any authenticated user can compromise the entire RD Station installation and potentially the underlying server.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege authenticated account; no user interaction required.

Key dates

06Disclosure timeline

June 16, 2026 CVE published

Related vulnerabilities

08Related CVE