Remote Code Execution Vulnerability in Code Engine Plugin for WordPress
CVE-2025-6784
8.8HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 11 July 2026
What is CVE-2025-6784?
The Code Engine plugin for WordPress exposes a serious vulnerability that allows authenticated users with Contributor-level access and above to perform remote code execution. This flaw arises from inadequate access restrictions to a code-injecting feature via the 'code-engine' shortcode. As a result, attackers can manipulate the server's environment, potentially leading to unauthorized data access and further exploitation. Users are advised to update to the latest version and apply proper security measures to mitigate risks associated with this vulnerability.
Affected Version(s)
Code Engine β PHP Snippets, AI Functions & Automation for WordPress 0 <= 0.3.5