CVE-2025-68897

2025-12-29 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 29, 2025 - 16:15 nvd
N/A

Tags

WordPress PHP Code Injection

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Mohammad I. Okfie IF AS Shortcode if-as-shortcode allows Code Injection.This issue affects IF AS Shortcode: from n/a through <= 1.2.

Analysis

Remote code injection in IF AS Shortcode WordPress plugin versions up to 1.2 allows attackers to execute arbitrary code through improper handling of shortcode parameters. The vulnerability stems from CWE-94 (Improper Control of Code Generation) and affects WordPress installations using this plugin. Patchstack reported the vulnerability; however, no CVSS vector is provided and EPSS probability is low at 0.07%, suggesting limited real-world exploit activity at the time of analysis.

Technical Context

IF AS Shortcode is a WordPress plugin that processes shortcode parameters to generate dynamic content. The vulnerability exists in the shortcode parsing and evaluation mechanism, which fails to properly sanitize or validate user-supplied input before passing it to code generation or execution functions. CWE-94 (Improper Control of Generation of Code) indicates that the plugin creates executable code from user input without adequate validation, allowing attackers to inject malicious PHP or JavaScript that gets executed in the context of the WordPress installation. The affected versions (through 1.2) include all releases up to and including version 1.2, suggesting the vulnerability may have existed since the plugin's initial release.

Affected Products

The vulnerability affects IF AS Shortcode WordPress plugin (by Mohammad I. Okfie IF AS) in all versions from the initial release through version 1.2. The plugin is hosted on WordPress.org and distributed through the official WordPress plugin repository. Affected installations include WordPress sites with IF AS Shortcode plugin versions 1.2 and earlier. No CPE identifier was provided in the available data; users should verify their plugin version in the WordPress admin dashboard under Plugins.

Remediation

Update IF AS Shortcode plugin to a patched version released after 1.2. Users should access their WordPress admin panel, navigate to Plugins > Installed Plugins, locate IF AS Shortcode, and click Update if available. If no update is available in the WordPress dashboard, users should visit the plugin's page at https://patchstack.com/database/Wordpress/Plugin/if-as-shortcode/vulnerability/wordpress-if-as-shortcode-plugin-1-2-remote-code-execution-rce-vulnerability for the latest patch status and instructions. As a temporary measure, disable the IF AS Shortcode plugin until a patched version is deployed, particularly on public-facing WordPress sites.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +0
POC: 0

Share

CVE-2025-68897 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy