PT-2026-57405 · WordPress · Code Engine

Published

2026-07-11

·

Updated

2026-07-11

·

CVE-2025-6784

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Code Engine plugin for WordPress versions prior to 0.3.6
Description Authenticated attackers with Contributor-level access and above can achieve Remote Code Execution (RCE) through the code-engine shortcode. This occurs because the plugin fails to restrict access to its code injection functionality, allowing the execution of arbitrary code on the server.
Recommendations Update the Code Engine plugin for WordPress to version 0.3.6 or later.

Fix

RCE

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2025-6784

Affected Products

Code Engine