Platform
wordpress
Component
code-snippets
Fixed in
4.0.0
CVE-2025-13035 describes a PHP Code Injection vulnerability within the WordPress Code Snippets plugin. This flaw allows authenticated attackers, possessing Contributor-level access or higher, to execute arbitrary PHP code on the server. The vulnerability impacts versions 0.0.0 through 3.9.1 of the plugin and has been resolved in version 3.9.2.
The impact of this vulnerability is severe. An attacker can leverage the [code_snippet] shortcode to inject and execute malicious PHP code. This could lead to complete server compromise, including data exfiltration, modification of website content, and installation of backdoors. The ability to execute arbitrary code grants the attacker a high degree of control over the affected WordPress instance, potentially impacting all users and data associated with the site. The reliance on shortcode attributes for file path manipulation creates a direct pathway for code execution.
This vulnerability was publicly disclosed on 2025-11-19. The ease of exploitation, combined with the plugin's popularity, suggests a potential for widespread exploitation. While no active campaigns have been publicly confirmed, the availability of a proof-of-concept is likely to encourage malicious actors to target vulnerable installations. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Code Snippets plugin to version 3.9.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the [code_snippet] shortcode for users with Contributor access or lower. Review any existing code snippets for suspicious or unexpected code. Implement a Web Application Firewall (WAF) with rules to block attempts to inject PHP code through shortcode attributes. Monitor WordPress logs for unusual PHP execution patterns or attempts to access sensitive files.
Update to version 3.9.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13035 is a vulnerability in the WordPress Code Snippets plugin allowing authenticated attackers to execute arbitrary PHP code via shortcode manipulation. It affects versions 0.0.0–3.9.1 and has a CVSS score of 8.0 (HIGH).
You are affected if your WordPress site uses the Code Snippets plugin and is running version 3.9.1 or earlier. Check your plugin versions immediately.
Upgrade the Code Snippets plugin to version 3.9.2 or later. If immediate upgrade is not possible, restrict access to the [code_snippet] shortcode for lower-level users.
While no active campaigns have been publicly confirmed, the vulnerability's ease of exploitation and plugin's popularity suggest a potential for exploitation. Monitor your systems closely.
Refer to the Code Snippets plugin's official website and WordPress.org plugin repository for the latest updates and security advisories regarding CVE-2025-13035.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.