Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection.This issue affects Nelio AB Testing: from n/a through <= 8.2.7.
AnalysisAI
A Code Injection vulnerability (CWE-94) exists in Nelio AB Testing WordPress plugin through version 8.2.7 that allows attackers to execute arbitrary code on affected installations. The vulnerability affects the Nelio Software product across all versions up to and including 8.2.7, potentially enabling remote code execution (RCE). This is a critical severity issue as it permits unauthenticated or low-privilege attackers to gain complete control over WordPress sites running the vulnerable plugin.
Technical ContextAI
The vulnerability resides in the Nelio AB Testing WordPress plugin (CPE: cpe:2.3:a:nelio_software:nelio_ab_testing:*:*:*:*:*:*:*:*), which is a popular A/B testing framework for WordPress. The root cause is classified as CWE-94 (Improper Control of Generation of Code), indicating that the plugin fails to properly sanitize, validate, or escape user-supplied input before using it in code generation or execution contexts. This is a classic code injection vulnerability where attacker-controlled data flows directly into PHP eval(), create_function(), or similar code execution primitives without adequate filtering. The vulnerability likely exists in the plugin's testing or experimentation engine where dynamically generated code is executed server-side.
RemediationAI
Immediate action is required: update Nelio AB Testing to a patched version released after 8.2.7 via the WordPress plugin management interface or directly from the vendor. If a patched version is not yet available, deactivate and remove the plugin immediately to eliminate attack surface. For organizations requiring A/B testing functionality, consider temporary migration to alternative plugins such as Optimizely or Convert that have stronger security postures. During any transition period, apply compensating controls: restrict plugin access via Web Application Firewall (WAF) rules, implement strict WordPress security hardening (disable file editing, restrict PHP execution in upload directories), enable detailed logging of plugin activity, and monitor for suspicious code execution patterns. Reference the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/nelio-ab-testing/vulnerability/wordpress-nelio-ab-testing-plugin-8-2-7-remote-code-execution-rce-vulnerability for patch availability and timelines.
More in Nelio Ab Testing
View allSame weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15931