Skip to main content

Mohammad I. Okfie IF AS Shortcode CVE-2025-68897

CRITICAL
Code Injection (CWE-94)
2025-12-29 audit@patchstack.com
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:43 NVD
9.9 (CRITICAL)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 29, 2025 - 16:15 nvd
N/A

DescriptionCVE.org

Improper Control of Generation of Code ('Code Injection') vulnerability in Mohammad I. Okfie IF AS Shortcode if-as-shortcode allows Code Injection.This issue affects IF AS Shortcode: from n/a through <= 1.2.

AnalysisAI

Remote code injection in IF AS Shortcode WordPress plugin versions up to 1.2 allows attackers to execute arbitrary code through improper handling of shortcode parameters. The vulnerability stems from CWE-94 (Improper Control of Code Generation) and affects WordPress installations using this plugin. Patchstack reported the vulnerability; however, no CVSS vector is provided and EPSS probability is low at 0.07%, suggesting limited real-world exploit activity at the time of analysis.

Technical ContextAI

IF AS Shortcode is a WordPress plugin that processes shortcode parameters to generate dynamic content. The vulnerability exists in the shortcode parsing and evaluation mechanism, which fails to properly sanitize or validate user-supplied input before passing it to code generation or execution functions. CWE-94 (Improper Control of Generation of Code) indicates that the plugin creates executable code from user input without adequate validation, allowing attackers to inject malicious PHP or JavaScript that gets executed in the context of the WordPress installation. The affected versions (through 1.2) include all releases up to and including version 1.2, suggesting the vulnerability may have existed since the plugin's initial release.

Affected ProductsAI

The vulnerability affects IF AS Shortcode WordPress plugin (by Mohammad I. Okfie IF AS) in all versions from the initial release through version 1.2. The plugin is hosted on WordPress.org and distributed through the official WordPress plugin repository. Affected installations include WordPress sites with IF AS Shortcode plugin versions 1.2 and earlier. No CPE identifier was provided in the available data; users should verify their plugin version in the WordPress admin dashboard under Plugins.

RemediationAI

Update IF AS Shortcode plugin to a patched version released after 1.2. Users should access their WordPress admin panel, navigate to Plugins > Installed Plugins, locate IF AS Shortcode, and click Update if available. If no update is available in the WordPress dashboard, users should visit the plugin's page at https://patchstack.com/database/Wordpress/Plugin/if-as-shortcode/vulnerability/wordpress-if-as-shortcode-plugin-1-2-remote-code-execution-rce-vulnerability for the latest patch status and instructions. As a temporary measure, disable the IF AS Shortcode plugin until a patched version is deployed, particularly on public-facing WordPress sites.

Share

CVE-2025-68897 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy