How is CVE-2026-49774 exploited?

Network reachability (required): The attacker must be able to reach the WordPress site over the network; no local or physical access is needed. Authentication (required): Any low-privilege WordPress account (such as a subscriber-level user) is sufficient; administrative credentials are not required. Victim interaction (not-required): No action from another user or administrator is needed to trigger the vulnerability. Attack complexity (info): The exploit is reliable and condition-free; no race conditions or special memory layout are required to achieve code execution.

What is the impact of CVE-2026-49774?

The attacker executes arbitrary server-side code in the context of the web server process, enabling full control over the WordPress application. All data stored in the WordPress database, including user credentials, session tokens, and customer records, is readable by the attacker. The attacker can write, modify, or delete files on the server, including theme files, plugin files, and uploaded content. Because the scope is changed (S:C), the attacker can pivot beyond the plugin boundary to affect other applications or services sharing the same server environment.

Back to search

CRITICALCVE-2026-49774Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-49774: WordPress RD Station plugin <= 5.6.0 - Remote Code Execution (RCE) vulnerability

Q: What is CVE-2026-49774?

A code injection vulnerability in the RD Station WordPress plugin (versions up to and including 5.6.0) allows a remote attacker with any low-privilege account to execute arbitrary code on the server. The vulnerability is reachable over the network, requires no victim interaction, and has a changed scope meaning exploitation can break out of the plugin's own security boundary to affect the broader WordPress environment. Successful exploitation gives the attacker full read, write, and availability control over the host. No fix has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment an upstream fix is released.

Q: Is CVE-2026-49774 patched?

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the maintainer ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention as soon as a fix version is confirmed.

Improper Control of Generation of Code ('Code Injection') vulnerability in Filipe Nasc RD Station allows Remote Code Inclusion. This issue affects RD Station: from n/a through 5.6.0.

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A code injection vulnerability in the RD Station WordPress plugin (versions up to and including 5.6.0) allows a remote attacker with any low-privilege account to execute arbitrary code on the server. The vulnerability is reachable over the network, requires no victim interaction, and has a changed scope meaning exploitation can break out of the plugin's own security boundary to affect the broader WordPress environment. Successful exploitation gives the attacker full read, write, and availability control over the host. No fix has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-49774 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the RD Station plugin. Any image at or below plugin version 5.6.0 is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 9.9 Critical and weighting it further against each customer environment's compliance policy, for example stricter SLAs for internet-facing workloads. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the maintainer ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention as soon as a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the WordPress site over the network; no local or physical access is needed.
AuthenticationRequired
Any low-privilege WordPress account (such as a subscriber-level user) is sufficient; administrative credentials are not required.
Victim interactionNot required
No action from another user or administrator is needed to trigger the vulnerability.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special memory layout are required to achieve code execution.

Blast Radius

The attacker executes arbitrary server-side code in the context of the web server process, enabling full control over the WordPress application.
All data stored in the WordPress database, including user credentials, session tokens, and customer records, is readable by the attacker.
The attacker can write, modify, or delete files on the server, including theme files, plugin files, and uploaded content.
Because the scope is changed (S:C), the attacker can pivot beyond the plugin boundary to affect other applications or services sharing the same server environment.

How HarborGuard Handles This

Available on HarborGuard: because no fix version has been published for CVE-2026-49774, HarborGuard continuously re-evaluates the advisory on every ingest cycle. As soon as Filipe Nasc or the WordPress plugin repository ships a remediated release, a patched-image rebuild becomes available automatically; for customers with auto-remediation enabled, that triggers a full rebuild, regression-test run, and a PR opened against every affected workload. While no patch exists, HarborGuard recommends applying compensating controls at the network layer: enforce ingress policy to restrict WordPress admin and authenticated endpoints to known IP ranges, apply egress filtering to prevent outbound code-retrieval requests from the web server process, and consider disabling the RD Station plugin via feature-flag or environment configuration until an upstream fix is confirmed.

See how HarborGuard automates this

Affected packages

Filipe Nasc / RD Station
≤ 5.6.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified