CVE-2025-6784
tigroumeow · Code Engine – PHP Snippets, AI Functions & Automation for WordPress
A command injection vulnerability in the Code Engine WordPress plugin allows authenticated users to execute arbitrary code on the underlying server.
Executive summary
An authenticated remote code execution vulnerability in the Code Engine WordPress plugin poses a severe risk, allowing attackers to execute commands on the host server.
Vulnerability
This is a Command Injection (CWE-77) vulnerability that occurs due to improper neutralization of special elements used in system commands. While the exploit requires authenticated access, it grants the attacker the ability to execute arbitrary commands, effectively giving them control over the web server.
Business impact
With a CVSS score of 8.8, this high-severity vulnerability could lead to total server compromise, data exfiltration, and the installation of persistent backdoors. The business impact is significant, as it enables an attacker to move beyond the application layer into the underlying infrastructure.
Remediation
Immediate Action: Update the Code Engine plugin to the latest version immediately as specified in the vendor's security advisory.
Proactive Monitoring: Monitor server logs for unexpected system calls or process execution originating from the web server user account.
Compensating Controls: Ensure the web server process runs with the principle of least privilege, limiting the scope of what an attacker can execute if the application is compromised.
Exploitation status
Public Exploit Available: False
Analyst recommendation
Remote code execution is among the most severe security risks. Administrators must verify the status of their Code Engine plugin and apply the patch provided by the vendor to prevent unauthorized command execution and maintain the integrity of the WordPress environment.