PHP Code Injection Vulnerability in Code Snippets Plugin by WordPress
CVE-2025-13035

8HIGH

Key Information:

Vendor: WordPress
Status: Code Snippets
Vendor: CVE Published:; 19 November 2025

What is CVE-2025-13035?

The Code Snippets plugin for WordPress is susceptible to PHP code injection across all versions up to and including 3.9.1. This vulnerability stems from the use of the extract() function on untrusted shortcode attributes within the evaluate_shortcode_from_flat_file method. This could allow an authenticated attacker, possessing Contributor-level access or higher, to execute arbitrary PHP code on the server by manipulating the $filepath variable. The risk is heightened if an administrator inadvertently enables the 'Enable file-based execution' setting and activates at least one Content snippet.

Affected Version(s)

Code Snippets * <= 3.9.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/code-snippets/...

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 19, 2025
Vulnerability Reserved
Nov 11, 2025

Credit

Michael Mazzolini

JSON