平台
wordpress
组件
if-as-shortcode
修复版本
1.2.1
CVE-2025-68897 describes a Remote Code Execution (RCE) vulnerability within the IF AS Shortcode plugin for WordPress. This flaw allows attackers to inject arbitrary code, potentially leading to complete compromise of the affected WordPress instance. The vulnerability impacts versions from 0.0.0 up to and including 1.2. A fix is expected from the plugin developer.
The vulnerability stems from improper control over code generation, allowing for code injection. An attacker could exploit this to execute arbitrary PHP code on the server hosting the WordPress site. This could lead to a complete takeover of the website, including data exfiltration, defacement, and installation of malware. The attacker could also leverage the compromised server to launch further attacks against other systems within the network, expanding the blast radius significantly. Given the plugin's functionality, an attacker could potentially inject code that modifies or deletes critical WordPress files, rendering the site unusable.
The vulnerability was publicly disclosed on 2025-12-29. As of this date, no public proof-of-concept (POC) code has been released, but the CRITICAL severity suggests a high probability of exploitation if a POC becomes available. The vulnerability is not currently listed on CISA KEV. Active campaigns targeting WordPress plugins are common, so vigilance is advised.
Websites using the IF AS Shortcode plugin, particularly those running older, unpatched versions (0.0.0–1.2), are at significant risk. Shared hosting environments are especially vulnerable, as a compromise of one site can potentially impact others on the same server.
• wordpress / composer / npm:
grep -r 'if_as_shortcode' /var/www/html/• wordpress / composer / npm:
wp plugin list | grep if_as_shortcode• wordpress / composer / npm:
wp plugin update --all• generic web: Check WordPress plugin directory for updates and security advisories related to IF AS Shortcode.
disclosure
漏洞利用状态
EPSS
0.07% (21% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to immediately upgrade the IF AS Shortcode plugin to a patched version when available. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. Web Application Firewalls (WAFs) configured to detect and block PHP code injection attempts can provide an additional layer of defense. Monitor WordPress access logs for suspicious activity, particularly requests containing unusual characters or patterns that might indicate an exploitation attempt. Regularly scan the WordPress installation for vulnerabilities using security plugins.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-68897 is a critical Remote Code Execution vulnerability in the IF AS Shortcode WordPress plugin, allowing attackers to execute arbitrary code.
You are affected if you are using the IF AS Shortcode plugin in WordPress versions 0.0.0 through 1.2. Check your plugin version immediately.
Upgrade the IF AS Shortcode plugin to the latest available version as soon as possible. If upgrading is not immediately possible, disable the plugin.
While no public exploits are currently known, the CRITICAL severity suggests a high probability of exploitation if a proof-of-concept is released.
Check the official IF AS Shortcode plugin page and WordPress.org plugin repository for security advisories and updates.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。