The Landing Pages plugin before 1.9.2 for WordPress allows remote attackers to execute arbitrary code via the url parameter.