Skip to main content

Code Engine CVE-2025-6784

| EUVDEUVD-2025-210455 HIGH
Command Injection (CWE-77)
2026-07-11 Wordfence GHSA-9q92-4hrq-vj96
8.8
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable shortcode, low complexity, requires a Contributor+ account (PR:L) and no user interaction, yielding full code execution and thus high C/I/A.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 06:54 vuln.today
CVE Published
Jul 11, 2026 - 05:35 cve.org
HIGH 8.8

DescriptionCVE.org

The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 0.3.5 via the 'code-engine' shortcode. This is due to the plugin not restricting access to the code injecting functionality of the plugin. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

AnalysisAI

Remote code execution in the Code Engine WordPress plugin (all versions ≤ 0.3.5) lets authenticated users with Contributor-level access or higher run arbitrary PHP/code on the server via the 'code-engine' shortcode, because the plugin fails to restrict access to its code-injection functionality. Reported by Wordfence, the flaw carries a CVSS 8.8 (high) rating; there is no public exploit identified at time of analysis, though the technique (abusing a shortcode that intentionally executes snippets) is straightforward for anyone with authoring rights. This turns the plugin's core 'run PHP snippets' feature into a privilege-escalation path from low-trust content contributors to full server code execution.

Technical ContextAI

Code Engine ('PHP Snippets, AI Functions & Automation for WordPress', vendor tigroumeow) is a WordPress plugin whose purpose is to execute PHP/code snippets, exposed to content through a '[code-engine]' shortcode. Shortcodes are parsed and rendered whenever a post/page containing them is saved or displayed, so any user who can insert a shortcode into content can reach the underlying execution routine. The root cause maps to CWE-77 (Improper Neutralization of Special Elements used in a Command / Command Injection): the plugin does not gate the code-executing shortcode behind an appropriate capability check, so the boundary between 'trusted admin who configures snippets' and 'untrusted contributor who writes posts' collapses. The affected CPE is cpe:2.3:a:tigroumeow:code_engine_-_php_snippets,_ai_functions_&_automation_for_wordpress. In WordPress, the Contributor role can create (but not publish) posts, and normally cannot run code - this vulnerability breaks that expectation.

RemediationAI

Upgrade the Code Engine plugin to the version released after 0.3.5 that adds the missing capability restriction (the fix corresponds to WordPress.org changeset https://plugins.trac.wordpress.org/changeset/3345666; because the reference is a repository changeset rather than a tagged release, the exact patched version number is not independently confirmed from the provided data - verify the current version on the plugin page before deploying). Review the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/1a5f970a-e6a0-4dc7-8e99-342a32f5fd49?source=cve) for details. If you cannot patch immediately, the most effective compensating control is to deactivate the Code Engine plugin, since its shortcode is the attack surface - this disables snippet/AI-automation features that rely on it. Failing that, restrict who can author content by removing Contributor and Author accounts from untrusted users and disabling open/self-service registration (trade-off: blocks legitimate community contributors), and audit existing posts and drafts for unexpected '[code-engine]' shortcodes. A WAF virtual patch from Wordfence can block exploitation attempts as an interim layer but should not replace upgrading.

Share

CVE-2025-6784 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy