NotFound Fresh Framework CVE-2025-26936
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Improper Control of Generation of Code ('Code Injection') vulnerability in NotFound Fresh Framework allows Code Injection. This issue affects Fresh Framework: from n/a through 1.70.0.
AnalysisAI
Fresh Framework for WordPress (through 1.70.0) contains a code injection vulnerability that allows unauthenticated attackers to execute arbitrary code with scope change, achieving maximum impact on confidentiality, integrity, and availability.
Technical ContextAI
The plugin fails to properly sanitize user input before using it in code generation contexts (CWE-94). The CVSS scope change (S:C) with maximum CIA impact indicates an attacker can fully compromise the WordPress host and potentially pivot to other systems.
Affected ProductsAI
Fresh Framework WordPress plugin through 1.70.0
RemediationAI
Remove or disable Fresh Framework immediately until a patched version is available. Monitor web server logs for signs of exploitation. Apply WAF rules to block code injection patterns.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today