CVE-2025-26936

CRITICAL
2025-03-10 [email protected]
10.0
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 19:50 vuln.today
CVE Published
Mar 10, 2025 - 15:15 nvd
CRITICAL 10.0

Tags

WordPress PHP Code Injection RCE

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in NotFound Fresh Framework allows Code Injection. This issue affects Fresh Framework: from n/a through 1.70.0.

Analysis

Fresh Framework for WordPress (through 1.70.0) contains a code injection vulnerability that allows unauthenticated attackers to execute arbitrary code with scope change, achieving maximum impact on confidentiality, integrity, and availability.

Technical Context

The plugin fails to properly sanitize user input before using it in code generation contexts (CWE-94). The CVSS scope change (S:C) with maximum CIA impact indicates an attacker can fully compromise the WordPress host and potentially pivot to other systems.

Affected Products

Fresh Framework WordPress plugin through 1.70.0

Remediation

Remove or disable Fresh Framework immediately until a patched version is available. Monitor web server logs for signs of exploitation. Apply WAF rules to block code injection patterns.

Priority Score

50
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +50
POC: 0

Share

CVE-2025-26936 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy