CVE-2025-13035

Name of the Vulnerable Software and Affected Versions Code Snippets versions prior to 3.9.1

Description The Code Snippets plugin for WordPress is susceptible to PHP Code Injection in versions up to and including 3.9.1. This occurs because the plugin utilizes extract() on shortcode attributes controlled by attackers within the evaluate shortcode from flat file method. This can overwrite the filepath variable, which is then used with require once. Authenticated attackers with Contributor-level access or higher can execute arbitrary PHP code on the server through the [code snippet] shortcode. This requires an administrator to enable the "Enable file-based execution" setting and create at least one active Content snippet. The extract() function is used to import variables from an array into the current scope.

Recommendations Update Code Snippets to version 3.9.1 or later.