Themeisle Woody ad snippets plugin versions up to 2.7.1 contain a critical code injection vulnerability, posing a severe risk of complete system compromise via remote code execution.

This is a Code Injection vulnerability located in the "insert-php" functionality of the Woody ad snippets plugin. It allows an attacker to bypass standard execution controls to run arbitrary PHP code within the context of the web server.

The impact of this vulnerability is severe, as it allows for full administrative takeover of the WordPress site and potentially the underlying server. With a CVSS score of 9.9, this is classified as Critical, representing a near-maximum risk to confidentiality, integrity, and system availability.

Immediate Action: Update the Woody ad snippets plugin to the latest version immediately or disable the "insert-php" functionality if it is not business-critical.

Proactive Monitoring: Monitor system integrity for unauthorized file modifications and audit administrative user accounts for any unrecognized additions.

Compensating Controls: Deploy a WAF to filter malicious payloads and restrict file system permissions to prevent the web server from writing to sensitive directories.

Public Exploit Available: false

Given the near-perfect CVSS score and the potential for total system compromise, this vulnerability requires an emergency response. Organizations must apply the vendor's security updates immediately to mitigate the risk of remote code execution.