Skip to main content

Code Engine Php Snippets Ai Functions Automation For Wordpress

1 CVEs product

Monthly

CVE-2025-6784 HIGH This Week

Remote code execution in the Code Engine WordPress plugin (all versions ≤ 0.3.5) lets authenticated users with Contributor-level access or higher run arbitrary PHP/code on the server via the 'code-engine' shortcode, because the plugin fails to restrict access to its code-injection functionality. Reported by Wordfence, the flaw carries a CVSS 8.8 (high) rating; there is no public exploit identified at time of analysis, though the technique (abusing a shortcode that intentionally executes snippets) is straightforward for anyone with authoring rights. This turns the plugin's core 'run PHP snippets' feature into a privilege-escalation path from low-trust content contributors to full server code execution.

Command Injection WordPress RCE Code Engine Php Snippets Ai Functions Automation For Wordpress
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in the Code Engine WordPress plugin (all versions ≤ 0.3.5) lets authenticated users with Contributor-level access or higher run arbitrary PHP/code on the server via the 'code-engine' shortcode, because the plugin fails to restrict access to its code-injection functionality. Reported by Wordfence, the flaw carries a CVSS 8.8 (high) rating; there is no public exploit identified at time of analysis, though the technique (abusing a shortcode that intentionally executes snippets) is straightforward for anyone with authoring rights. This turns the plugin's core 'run PHP snippets' feature into a privilege-escalation path from low-trust content contributors to full server code execution.

Command Injection WordPress RCE +1
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy