CVE-2013-2109: 
WordPress vulnerability analysis and mitigation

WordPress plugin wp-cleanfix was found to contain a Remote Code Execution vulnerability (CVE-2013-2109). The vulnerability was discovered in version 1.4 of the plugin and was fixed in version 3.0.2. This security issue was identified and reported in May 2013 (Openwall Mailing List).

The vulnerability exists in the wpCleanFixAjax.php file where user input from $_POST['command'] is processed through strip_tags() and then directly passed to eval(). The code execution is only accessible when logged in as an administrator and when _wpdk_is_ajax() returns true. The vulnerability has a CVSS 3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

While the code execution requires administrator privileges, which normally wouldn't be considered a significant vulnerability since WordPress administrators can already execute PHP code, this vulnerability becomes more severe when combined with a CSRF attack. This combination allows remote attackers to potentially execute arbitrary PHP code on the server through social engineering attacks (Openwall Mailing List).

The vulnerability was fixed in version 3.0.2 of the wp-cleanfix plugin. Users should upgrade to this version or later to protect against this security issue (WPScan).