CVE-2026-49774
Received Received - Intake
Code Injection Vulnerability in RD Station

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Patchstack

Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Filipe Nasc RD Station allows Remote Code Inclusion. This issue affects RD Station: from n/a through 5.6.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-49774
EUVD
EUVD-2026-37056
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rd_station rd_station to 5.6.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Improper Control of Generation of Code, also known as a Code Injection vulnerability, found in the RD Station software developed by Filipe Nasc. It allows an attacker to perform Remote Code Inclusion, meaning they can inject and execute malicious code remotely on the affected system.

Impact Analysis

The vulnerability has a very high severity with a CVSS score of 9.9, indicating that it can have a critical impact. An attacker exploiting this flaw can execute arbitrary code remotely, potentially leading to full system compromise, data theft, data loss, or disruption of services.

Compliance Impact

The vulnerability allows remote code execution, enabling attackers to execute arbitrary commands and gain full control of affected sites. Such unauthorized access and control could lead to data breaches or unauthorized data manipulation, which may impact compliance with standards like GDPR and HIPAA that require protection of personal and sensitive data.

However, the provided information does not explicitly detail the direct effects on compliance with specific regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability allows Remote Code Execution (RCE) through the WordPress RD Station Plugin versions 5.6.0 and below. Detection can involve monitoring for unusual or unauthorized execution of commands on the affected system.

Patchstack has provided a mitigation rule to block attacks until the plugin is updated, which implies that detection can be enhanced by applying such rules to monitor and block suspicious requests targeting this vulnerability.

Specific commands are not provided in the available resources, but typical detection methods include checking for unusual HTTP requests to the plugin endpoints or scanning logs for suspicious activity related to code injection attempts.

Mitigation Strategies

The immediate recommended step is to update the WordPress RD Station Plugin to version 5.7.0 or later, where the vulnerability has been patched.

Until the update can be applied, it is advised to implement the mitigation rule provided by Patchstack to block attacks targeting this vulnerability.

Since the vulnerability requires at least contributor-level privileges to exploit, reviewing and restricting user permissions can also help reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49774. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart