प्लेटफ़ॉर्म
wordpress
घटक
code-snippets
में ठीक किया गया
4.0.0
CVE-2025-13035 describes a PHP Code Injection vulnerability within the WordPress Code Snippets plugin. This flaw allows authenticated attackers, possessing Contributor-level access or higher, to execute arbitrary PHP code on the server. The vulnerability impacts versions 0.0.0 through 3.9.1 of the plugin and has been resolved in version 3.9.2.
The impact of this vulnerability is severe. An attacker can leverage the [code_snippet] shortcode to inject and execute malicious PHP code. This could lead to complete server compromise, including data exfiltration, modification of website content, and installation of backdoors. The ability to execute arbitrary code grants the attacker a high degree of control over the affected WordPress instance, potentially impacting all users and data associated with the site. The reliance on shortcode attributes for file path manipulation creates a direct pathway for code execution.
This vulnerability was publicly disclosed on 2025-11-19. The ease of exploitation, combined with the plugin's popularity, suggests a potential for widespread exploitation. While no active campaigns have been publicly confirmed, the availability of a proof-of-concept is likely to encourage malicious actors to target vulnerable installations. The vulnerability is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the Code Snippets plugin, particularly those with multiple users holding Contributor-level access or higher, are at significant risk. Shared hosting environments where multiple WordPress installations share the same server resources are also vulnerable, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r 'extract($_POST' /var/www/wordpress/wp-content/plugins/code-snippets/• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'code-snippets'• wordpress / composer / npm:
wp plugin list | grep 'code-snippets' --status=active• generic web:
Check WordPress error logs for PHP errors related to file inclusion or shortcode evaluation.
• generic web:
Inspect the [code_snippet] shortcode usage on the website for any unusual or suspicious parameters.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.08% (24% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation is to immediately upgrade the Code Snippets plugin to version 3.9.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the [code_snippet] shortcode for users with Contributor access or lower. Review any existing code snippets for suspicious or unexpected code. Implement a Web Application Firewall (WAF) with rules to block attempts to inject PHP code through shortcode attributes. Monitor WordPress logs for unusual PHP execution patterns or attempts to access sensitive files.
संस्करण 3.9.2 में अपडेट करें, या एक नया पैच किया गया संस्करण
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-13035 is a vulnerability in the WordPress Code Snippets plugin allowing authenticated attackers to execute arbitrary PHP code via shortcode manipulation. It affects versions 0.0.0–3.9.1 and has a CVSS score of 8.0 (HIGH).
You are affected if your WordPress site uses the Code Snippets plugin and is running version 3.9.1 or earlier. Check your plugin versions immediately.
Upgrade the Code Snippets plugin to version 3.9.2 or later. If immediate upgrade is not possible, restrict access to the [code_snippet] shortcode for lower-level users.
While no active campaigns have been publicly confirmed, the vulnerability's ease of exploitation and plugin's popularity suggest a potential for exploitation. Monitor your systems closely.
Refer to the Code Snippets plugin's official website and WordPress.org plugin repository for the latest updates and security advisories regarding CVE-2025-13035.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।