Plataforma
wordpress
Componente
code-engine
Corrigido em
0.3.4
CVE-2025-48169 describes a Remote Code Execution (RCE) vulnerability within the Jordy Meow Code Engine. This flaw allows attackers to achieve Remote Code Inclusion, granting them the ability to execute arbitrary code on affected systems. The vulnerability impacts versions 0.0.0 through 0.3.3 of Code Engine, and a fix is available in version 0.3.4.
The impact of this RCE vulnerability is severe. Successful exploitation allows an attacker to inject and execute arbitrary code within the Code Engine environment. This could lead to complete system compromise, including data exfiltration, malware installation, and persistent backdoor access. Given the nature of Remote Code Inclusion, the attacker effectively gains control over the server hosting the WordPress site where Code Engine is installed. This vulnerability shares similarities with other code injection flaws where attackers leverage vulnerabilities to execute malicious scripts.
CVE-2025-48169 was published on 2025-08-20. The vulnerability's severity is considered CRITICAL due to the ease of exploitation and potential impact. Public proof-of-concept (POC) code is currently unknown, but the nature of the vulnerability suggests it could be readily exploited. Active campaigns targeting this vulnerability are not yet confirmed, but the high CVSS score warrants close monitoring.
WordPress websites utilizing the Jordy Meow Code Engine plugin, particularly those running versions 0.0.0 through 0.3.3, are at significant risk. Shared hosting environments where users have limited control over plugin configurations are especially vulnerable, as are sites with outdated or unpatched WordPress installations.
• wordpress / composer / npm:
grep -r 'include($_GET['code']);' /var/www/html/wp-content/plugins/code-engine/*• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/code-engine/?code=system('id')• wordpress / composer / npm:
wp plugin list --status=inactive• wordpress / composer / npm:
wp plugin update code-enginedisclosure
Status do Exploit
EPSS
0.06% (percentil 19%)
CISA SSVC
Vetor CVSS
The primary mitigation is to immediately upgrade Jordy Meow Code Engine to version 0.3.4 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These might include restricting file upload permissions within the Code Engine directory, implementing strict input validation to prevent malicious code injection, and utilizing a Web Application Firewall (WAF) to filter potentially harmful requests. Regularly monitor Code Engine logs for any suspicious activity. After upgrading, confirm the fix by attempting to trigger the vulnerability and verifying that the code execution is blocked.
Atualize o plugin Code Engine para a versão mais recente disponível para mitigar a vulnerabilidade de execução remota de código. Verifique a página do plugin no WordPress.org para obter a versão mais recente e as instruções de atualização. Considere desabilitar ou remover o plugin se não for essencial para o seu site.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-48169 is a critical Remote Code Execution vulnerability in Jordy Meow Code Engine affecting versions 0.0.0 through 0.3.3, allowing attackers to execute arbitrary code.
You are affected if you are using Jordy Meow Code Engine versions 0.0.0 to 0.3.3. Check your plugin version and upgrade immediately.
Upgrade Jordy Meow Code Engine to version 0.3.4 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting file uploads and using a WAF.
Active exploitation is not yet confirmed, but the high CVSS score warrants close monitoring and proactive mitigation.
Refer to the Jordy Meow Code Engine project's official website or repository for the latest security advisories and updates.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.