Skip to main content

NotFound Fresh Framework CVE-2025-26936

CRITICAL
Code Injection (CWE-94)
2025-03-10 audit@patchstack.com
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 19:50 vuln.today
CVE Published
Mar 10, 2025 - 15:15 nvd
CRITICAL 10.0

DescriptionCVE.org

Improper Control of Generation of Code ('Code Injection') vulnerability in NotFound Fresh Framework allows Code Injection. This issue affects Fresh Framework: from n/a through 1.70.0.

AnalysisAI

Fresh Framework for WordPress (through 1.70.0) contains a code injection vulnerability that allows unauthenticated attackers to execute arbitrary code with scope change, achieving maximum impact on confidentiality, integrity, and availability.

Technical ContextAI

The plugin fails to properly sanitize user input before using it in code generation contexts (CWE-94). The CVSS scope change (S:C) with maximum CIA impact indicates an attacker can fully compromise the WordPress host and potentially pivot to other systems.

Affected ProductsAI

Fresh Framework WordPress plugin through 1.70.0

RemediationAI

Remove or disable Fresh Framework immediately until a patched version is available. Monitor web server logs for signs of exploitation. Apply WAF rules to block code injection patterns.

Share

CVE-2025-26936 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy