Plataforma
wordpress
Componente
nelio-ab-testing
Corrigido em
8.1.9
CVE-2025-67944 describes a critical code injection vulnerability discovered in Nelio AB Testing, a WordPress plugin. This flaw allows attackers to inject and execute arbitrary code on vulnerable systems, potentially leading to complete control. The vulnerability affects versions from 0.0.0 up to and including 8.1.8. A patch is available in version 8.2.0.
The code injection vulnerability in Nelio AB Testing poses a significant threat. An attacker could leverage this flaw to execute malicious code directly on the WordPress server, gaining unauthorized access and control. This could involve stealing sensitive data, modifying website content, installing malware, or even pivoting to other systems on the network. The impact is particularly severe because WordPress sites often host critical business data and are accessible to a wide range of users. Successful exploitation could result in data breaches, reputational damage, and financial losses.
CVE-2025-67944 was publicly disclosed on 2026-01-22. As of this date, there are no publicly available proof-of-concept exploits. The vulnerability is listed on the NVD. The EPSS score is pending evaluation, but the CRITICAL CVSS score suggests a high probability of exploitation if the vulnerability remains unpatched.
WordPress websites utilizing the Nelio AB Testing plugin, particularly those running older versions (0.0.0–8.1.8), are at significant risk. Shared hosting environments where plugin updates are managed by the hosting provider are also vulnerable if they haven't applied the update. Sites with limited security monitoring or input validation practices are especially susceptible.
• wordpress / composer / npm:
grep -r 'nelio-ab-testing' /var/www/html/wp-content/plugins/
wp plugin list | grep nelio-ab-testing• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/nelio-ab-testing/disclosure
Status do Exploit
EPSS
0.06% (percentil 18%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-67944 is to immediately upgrade Nelio AB Testing to version 8.2.0 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily disabling the Nelio AB Testing plugin. While not a complete solution, implementing strict input validation and sanitization on any user-supplied data processed by the plugin can help reduce the attack surface. Monitor WordPress access logs for suspicious activity, particularly attempts to inject code or execute unusual commands.
Update to version 8.2.0, or a newer patched version
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-67944 is a critical code injection vulnerability affecting Nelio AB Testing WordPress plugin versions 0.0.0–8.1.8, allowing attackers to execute arbitrary code.
Yes, if you are using Nelio AB Testing version 0.0.0 through 8.1.8, you are vulnerable to this code injection flaw.
Upgrade Nelio AB Testing to version 8.2.0 or later to patch the vulnerability. If immediate upgrade is not possible, temporarily disable the plugin.
As of the disclosure date, there are no confirmed reports of active exploitation, but the CRITICAL severity warrants immediate action.
Refer to the Nelio Software website and WordPress plugin repository for the official advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.