Skip to main content

Nelio Ab Testing EUVDEUVD-2026-15931

| CVE-2026-32573 CRITICAL
Code Injection (CWE-94)
2026-03-25 Patchstack
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15931
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:15 nvd
CRITICAL 9.1

DescriptionCVE.org

Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection.This issue affects Nelio AB Testing: from n/a through <= 8.2.7.

AnalysisAI

A Code Injection vulnerability (CWE-94) exists in Nelio AB Testing WordPress plugin through version 8.2.7 that allows attackers to execute arbitrary code on affected installations. The vulnerability affects the Nelio Software product across all versions up to and including 8.2.7, potentially enabling remote code execution (RCE). This is a critical severity issue as it permits unauthenticated or low-privilege attackers to gain complete control over WordPress sites running the vulnerable plugin.

Technical ContextAI

The vulnerability resides in the Nelio AB Testing WordPress plugin (CPE: cpe:2.3:a:nelio_software:nelio_ab_testing:*:*:*:*:*:*:*:*), which is a popular A/B testing framework for WordPress. The root cause is classified as CWE-94 (Improper Control of Generation of Code), indicating that the plugin fails to properly sanitize, validate, or escape user-supplied input before using it in code generation or execution contexts. This is a classic code injection vulnerability where attacker-controlled data flows directly into PHP eval(), create_function(), or similar code execution primitives without adequate filtering. The vulnerability likely exists in the plugin's testing or experimentation engine where dynamically generated code is executed server-side.

RemediationAI

Immediate action is required: update Nelio AB Testing to a patched version released after 8.2.7 via the WordPress plugin management interface or directly from the vendor. If a patched version is not yet available, deactivate and remove the plugin immediately to eliminate attack surface. For organizations requiring A/B testing functionality, consider temporary migration to alternative plugins such as Optimizely or Convert that have stronger security postures. During any transition period, apply compensating controls: restrict plugin access via Web Application Firewall (WAF) rules, implement strict WordPress security hardening (disable file editing, restrict PHP execution in upload directories), enable detailed logging of plugin activity, and monitor for suspicious code execution patterns. Reference the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/nelio-ab-testing/vulnerability/wordpress-nelio-ab-testing-plugin-8-2-7-remote-code-execution-rce-vulnerability for patch availability and timelines.

Share

EUVD-2026-15931 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy