Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper Control of Generation of Code ('Code Injection') vulnerability in Themeisle Woody ad snippets insert-php allows Code Injection.This issue affects Woody ad snippets: from n/a through <= 2.7.1.
AnalysisAI
A Code Injection vulnerability exists in the Themeisle Woody ad snippets plugin (insert-php) through version 2.7.1 that allows unauthenticated attackers to execute arbitrary PHP code on affected WordPress installations. The vulnerability stems from improper control of code generation, classified as CWE-94, enabling remote code execution (RCE). Patchstack has documented this issue, and affected installations should be patched immediately as the attack vector appears to be network-accessible with low complexity.
Technical ContextAI
The Woody ad snippets WordPress plugin, identified by CPE cpe:2.3:a:themeisle:woody_ad_snippets:*:*:*:*:*:*:*:*, contains a code injection flaw in its insert-php functionality. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code), which describes scenarios where user-controlled input is improperly processed before being executed as code. In the context of a WordPress plugin, this typically means that the plugin's insert-php feature (which allows administrators to embed PHP snippets) does not adequately sanitize, validate, or restrict code generation, potentially allowing attackers to inject arbitrary PHP code. The affected versions range from an undefined baseline through version 2.7.1, suggesting the vulnerability may have existed in all released versions of the plugin.
RemediationAI
Immediately upgrade the Themeisle Woody ad snippets plugin to a patched version newer than 2.7.1 via the WordPress plugin dashboard or through direct vendor channels. Verify the patch availability from Themeisle's official security advisories or the WordPress plugin repository. Until patching is complete, disable the Woody ad snippets plugin entirely by deactivating and removing it from active plugins, or restrict access to WordPress admin panels using IP whitelisting and Web Application Firewall (WAF) rules that block suspicious insert-php requests. Conduct a security audit of all sites that had this plugin active to check for signs of code injection or unauthorized PHP execution in logs and database entries. After patching, validate that no malicious code snippets were injected into the database via the insert-php functionality.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15689