Platform
wordpress
Component
code-engine
Fixed in
0.3.4
CVE-2025-48169 describes a Remote Code Execution (RCE) vulnerability within the Jordy Meow Code Engine. This flaw allows attackers to achieve Remote Code Inclusion, granting them the ability to execute arbitrary code on affected systems. The vulnerability impacts versions 0.0.0 through 0.3.3 of Code Engine, and a fix is available in version 0.3.4.
The impact of this RCE vulnerability is severe. Successful exploitation allows an attacker to inject and execute arbitrary code within the Code Engine environment. This could lead to complete system compromise, including data exfiltration, malware installation, and persistent backdoor access. Given the nature of Remote Code Inclusion, the attacker effectively gains control over the server hosting the WordPress site where Code Engine is installed. This vulnerability shares similarities with other code injection flaws where attackers leverage vulnerabilities to execute malicious scripts.
CVE-2025-48169 was published on 2025-08-20. The vulnerability's severity is considered CRITICAL due to the ease of exploitation and potential impact. Public proof-of-concept (POC) code is currently unknown, but the nature of the vulnerability suggests it could be readily exploited. Active campaigns targeting this vulnerability are not yet confirmed, but the high CVSS score warrants close monitoring.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade Jordy Meow Code Engine to version 0.3.4 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These might include restricting file upload permissions within the Code Engine directory, implementing strict input validation to prevent malicious code injection, and utilizing a Web Application Firewall (WAF) to filter potentially harmful requests. Regularly monitor Code Engine logs for any suspicious activity. After upgrading, confirm the fix by attempting to trigger the vulnerability and verifying that the code execution is blocked.
Update the Code Engine plugin to the latest available version to mitigate the remote code execution vulnerability. Check the plugin page on WordPress.org for the latest version and update instructions. Consider disabling or removing the plugin if it is not essential for your website.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-48169 is a critical Remote Code Execution vulnerability in Jordy Meow Code Engine affecting versions 0.0.0 through 0.3.3, allowing attackers to execute arbitrary code.
You are affected if you are using Jordy Meow Code Engine versions 0.0.0 to 0.3.3. Check your plugin version and upgrade immediately.
Upgrade Jordy Meow Code Engine to version 0.3.4 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting file uploads and using a WAF.
Active exploitation is not yet confirmed, but the high CVSS score warrants close monitoring and proactive mitigation.
Refer to the Jordy Meow Code Engine project's official website or repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.