Platform
wordpress
Component
nelio-ab-testing
Fixed in
8.1.9
CVE-2025-67944 describes a critical code injection vulnerability discovered in Nelio AB Testing, a WordPress plugin. This flaw allows attackers to inject and execute arbitrary code on vulnerable systems, potentially leading to complete control. The vulnerability affects versions from 0.0.0 up to and including 8.1.8. A patch is available in version 8.2.0.
The code injection vulnerability in Nelio AB Testing poses a significant threat. An attacker could leverage this flaw to execute malicious code directly on the WordPress server, gaining unauthorized access and control. This could involve stealing sensitive data, modifying website content, installing malware, or even pivoting to other systems on the network. The impact is particularly severe because WordPress sites often host critical business data and are accessible to a wide range of users. Successful exploitation could result in data breaches, reputational damage, and financial losses.
CVE-2025-67944 was publicly disclosed on 2026-01-22. As of this date, there are no publicly available proof-of-concept exploits. The vulnerability is listed on the NVD. The EPSS score is pending evaluation, but the CRITICAL CVSS score suggests a high probability of exploitation if the vulnerability remains unpatched.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-67944 is to immediately upgrade Nelio AB Testing to version 8.2.0 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily disabling the Nelio AB Testing plugin. While not a complete solution, implementing strict input validation and sanitization on any user-supplied data processed by the plugin can help reduce the attack surface. Monitor WordPress access logs for suspicious activity, particularly attempts to inject code or execute unusual commands.
Update to version 8.2.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-67944 is a critical code injection vulnerability affecting Nelio AB Testing WordPress plugin versions 0.0.0–8.1.8, allowing attackers to execute arbitrary code.
Yes, if you are using Nelio AB Testing version 0.0.0 through 8.1.8, you are vulnerable to this code injection flaw.
Upgrade Nelio AB Testing to version 8.2.0 or later to patch the vulnerability. If immediate upgrade is not possible, temporarily disable the plugin.
As of the disclosure date, there are no confirmed reports of active exploitation, but the CRITICAL severity warrants immediate action.
Refer to the Nelio Software website and WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.