Remote Code Execution Vulnerability in Code Engine Plugin for WordPress
CVE-2025-6784

8.8HIGH

What is CVE-2025-6784?

The Code Engine plugin for WordPress exposes a serious vulnerability that allows authenticated users with Contributor-level access and above to perform remote code execution. This flaw arises from inadequate access restrictions to a code-injecting feature via the 'code-engine' shortcode. As a result, attackers can manipulate the server's environment, potentially leading to unauthorized data access and further exploitation. Users are advised to update to the latest version and apply proper security measures to mitigate risks associated with this vulnerability.

Affected Version(s)

Code Engine – PHP Snippets, AI Functions & Automation for WordPress 0 <= 0.3.5

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jonas Benjamin Friedli
.