Description
The Foreign Function Interface (ffi) extension in PHP 5.0.5 does not follow safe_mode restrictions, which allows context-dependent attackers to execute arbitrary code by loading an arbitrary DLL and calling a function, as demonstrated by kernel32.dll and the WinExec function. NOTE: this issue does not cross privilege boundaries in most contexts, so perhaps it should not be included in CVE.
Remediation
References
Related Vulnerabilities
WordPress Plugin A2 Optimized WP Information Disclosure (2.0.10.8)
WordPress Plugin Insert or Embed Articulate Content into WordPress Security Bypass (4.2996)
WordPress Plugin Nmedia MailChimp Widget 'abs_path' Parameter Remote File Include (3.1)
WordPress Plugin GiveWP-Donation and Fundraising Platform PHP Object Injection (2.3.0)