How to check if WordPress is vulnerable to CVE-2019-11043 (PHP-FPM)

# Published 30 October 2019

Post Image

What is CVE-2019-11043?

CVE-2019-11043 is a remote code execution vulnerability in PHP-FPM, the FastCGI Process Manager (FPM) for PHP which is commonly used with the Nginx web server. One way to trigger the vulnerability is to embed a line break (%0a) or carriage return (%0d) character into the request URI, which is not correctly handled by the regular expression.

Are WordPress or PHP sites on Codengine vulnerable?

Absolutely not! Sites on Codengine always use the latest and greatest PHP versions as soon as they are available, this means that any CVE's are patched automatically for you; and your site is always as fast and as secure as they can possibly be. Additionally, sites on Codengine will run as much as possible as read-only applications so that even 0 day exploits (vulnerabilities not publicly discovered yet) will have minimal to no impact. Codengine takes security very seriously!


My site is not hosted on Codengine, how can I tell if my hosting provider is vulnerable?

Step 1: go to the WordPress Site Health checker

So long as your hosting provider automatically updates your WordPress installation to the latest, fastest and most secure versions, you should have the Site Health WordPress feature available on your site. This can be located at www.yoursite.example/wp-admin/site-health.php
This page will tell you what you can do to improve your site and what your hosting provider may be doing wrong.

If the Site Health feature is not available on your site it means your hosting provider does not automatically keep your site up to date and secure; please contact us for a free hands-on migration to Codengine by our migrations team so you can be certain your site is in good hands!
Otherwise you can install it via a plugin here.

Step 2: checking the server details

Hit the info tab which should take you to www.yoursite.example/wp-admin/site-health.php?tab=debug
under the server section you will see two values:

  • PHP SAPI: if this says fpm-fcgi then your hosting provider is using PHP-FPM.
  • PHP version: this is the version of PHP your hosting provider is using.
If your site is using fpm-fcgi/PHP-FPM and the PHP version is below 7.3.11, below 7.2.24 or below 7.1.33 then your site is vulnerable to this CVE and anybody can easily run a publicly available script available here to take over your website!

If your site is vulnerable please contact us immediately for a free hands-on migration to Codengine by our migrations team and your migration will be our highest priority so that we can ensure your site is secure and using the latest PHP version.