PT-2026-57405 · WordPress · Code Engine
Published
2026-07-11
·
Updated
2026-07-11
·
CVE-2025-6784
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Code Engine plugin for WordPress versions prior to 0.3.6
Description
Authenticated attackers with Contributor-level access and above can achieve Remote Code Execution (RCE) through the
code-engine shortcode. This occurs because the plugin fails to restrict access to its code injection functionality, allowing the execution of arbitrary code on the server.Recommendations
Update the Code Engine plugin for WordPress to version 0.3.6 or later.
Fix
RCE
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Code Engine