PHP Code Injection Vulnerability in WPMasterToolKit Plugin by WordPress
CVE-2025-14166

5.3MEDIUM

Key Information:

Vendor

WordPress
Status
WPmastertoolkit (WPmtk) – All In One Plugin
Vendor
CVE Published:
12 December 2025

What is CVE-2025-14166?

The WPMasterToolKit plugin for WordPress allows Author-level users to execute arbitrary PHP code due to inadequate capability checks in its Code Snippets feature. This vulnerability permits authenticated attackers, including those with Contributor-level access, to run arbitrary PHP code on the server. The exploitation can lead to serious consequences such as remote code execution, privilege escalation, and potentially full compromise of the affected WordPress site.

Affected Version(s)

WPMasterToolKit (WPMTK) – All in one plugin * <= 2.13.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/wpmastertoolki...
https://plugins.trac.wordpress.org/browser/wpmastertoolki...

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Athiwat Tiprasaharn
Itthidej Aramsri
Powpy
Waris Damkham
Varakorn Chanthasri
Peerapat Samatathanyakorn
Sopon Tangpathum (SoNaJaa)
JSON
.