CVE-2025-6784

tigroumeow · Code Engine – PHP Snippets, AI Functions & Automation for WordPress

A command injection vulnerability in the Code Engine WordPress plugin allows authenticated users to execute arbitrary code on the underlying server.

Executive summary

An authenticated remote code execution vulnerability in the Code Engine WordPress plugin poses a severe risk, allowing attackers to execute commands on the host server.

Vulnerability

This is a Command Injection (CWE-77) vulnerability that occurs due to improper neutralization of special elements used in system commands. While the exploit requires authenticated access, it grants the attacker the ability to execute arbitrary commands, effectively giving them control over the web server.

Business impact

With a CVSS score of 8.8, this high-severity vulnerability could lead to total server compromise, data exfiltration, and the installation of persistent backdoors. The business impact is significant, as it enables an attacker to move beyond the application layer into the underlying infrastructure.

Remediation

Immediate Action: Update the Code Engine plugin to the latest version immediately as specified in the vendor's security advisory.

Proactive Monitoring: Monitor server logs for unexpected system calls or process execution originating from the web server user account.

Compensating Controls: Ensure the web server process runs with the principle of least privilege, limiting the scope of what an attacker can execute if the application is compromised.

Exploitation status

Public Exploit Available: False

Analyst recommendation

Remote code execution is among the most severe security risks. Administrators must verify the status of their Code Engine plugin and apply the patch provided by the vendor to prevent unauthorized command execution and maintain the integrity of the WordPress environment.