Plateforme
wordpress
Composant
fresh-framework
Corrigé dans
1.70.1
CVE-2025-26936 describes a Remote Code Execution (RCE) vulnerability within the Fresh Framework WordPress plugin. This flaw allows attackers to inject arbitrary code, leading to complete server compromise. The vulnerability impacts versions from 0.0.0 up to and including 1.70.0. A patch is available in version 1.70.1.
The impact of this RCE vulnerability is severe. An attacker who successfully exploits this flaw can execute arbitrary code on the affected WordPress server with the privileges of the web server user. This could lead to complete system takeover, including data theft, modification, and deletion. Attackers could also install malware, create backdoors for persistent access, or pivot to other systems on the network. Given the plugin's functionality, sensitive data such as user credentials, database information, and potentially customer data could be at risk. The ease of exploitation, combined with the potential for widespread impact, makes this a high-priority vulnerability.
CVE-2025-26936 was publicly disclosed on March 10, 2025. While no active exploitation campaigns have been confirmed as of this writing, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Websites using the Fresh Framework plugin, particularly those running older versions (0.0.0–1.70.0), are at significant risk. Shared hosting environments are particularly vulnerable, as a compromised plugin on one site could potentially impact other sites on the same server. WordPress installations with weak security configurations or outdated plugins are also at increased risk.
• wordpress / composer / npm:
grep -r 'eval(' /var/www/html/wp-content/plugins/fresh-framework/• wordpress / composer / npm:
wp plugin list | grep 'fresh-framework'• wordpress / composer / npm:
wp plugin update fresh-framework --version=1.70.1disclosure
Statut de l'Exploit
EPSS
0.31% (percentile 54%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-26936 is to immediately upgrade the Fresh Framework plugin to version 1.70.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. As a secondary measure, implement strict input validation and sanitization on any user-supplied data processed by the plugin. Web Application Firewalls (WAFs) configured with rules to detect and block code injection attempts can also provide a layer of protection. Monitor WordPress logs for suspicious activity, particularly attempts to execute arbitrary code.
Mettez à jour le plugin Fresh Framework vers la dernière version disponible pour atténuer la vulnérabilité d'exécution de code à distance non authentifiée. Consultez la page du plugin sur wordpress.org pour obtenir la version la plus récente et les instructions de mise à jour.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-26936 is a critical Remote Code Execution vulnerability in the Fresh Framework WordPress plugin, allowing attackers to execute arbitrary code on the server.
You are affected if you are using Fresh Framework versions 0.0.0 through 1.70.0. Check your plugin version and upgrade immediately.
Upgrade the Fresh Framework plugin to version 1.70.1 or later. If immediate upgrade is not possible, disable the plugin temporarily.
While no active exploitation campaigns have been confirmed, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation.
Refer to the official Fresh Framework website or WordPress plugin repository for the latest advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.