[wp-trac] [WordPress Trac] #63454: Aikido security: Backticks (``) in PHP are very dangerous and counter-intuitive
WordPress Trac
noreply at wordpress.org
Fri May 16 08:34:30 UTC 2025
#63454: Aikido security: Backticks (``) in PHP are very dangerous and counter-
intuitive
--------------------------+-----------------------------
Reporter: Websonica | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 6.7.2
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
Hello WordPress Support Team,
My name is Massimo, and I manage a WordPress installation where I’ve
identified a potential security risk in the getID3 library included under
wp-includes/ID3/.
The Aikido Security team has pointed out that in PHP the backtick operator
(``) is not a simple quotation mark but functions like shell_exec(),
executing its contents as a shell command and returning the output. A
minimal example that can lead to Remote Code Execution is as small as:
`$_GET[2]`
Key Points:
Backticks in PHP execute shell commands and return their output to the
script.
If the command string is not thoroughly sanitized, an attacker could
execute arbitrary system commands.
The getID3 library (up through version 1.9.21 included in WordPress
core) uses backticks within getid3.lib.php, potentially exposing sites to
RCE.
I would appreciate your guidance on the following:
What is the current status of this issue in WordPress core and planned
for future releases?
Are there official plans to remove or mitigate the use of the backtick
operator within the bundled getID3 library?
What solution do you recommend for users to secure their installations
against this risk without losing media metadata parsing functionality?
I’m happy to provide further details or staging environment logs if
needed. Thank you for your assistance, and I look forward to your
response.
Best regards,
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63454>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list