Code Engine <= 0.3.5 - Authenticated (Contributor+) Remote Code Execution
Strategic Overview
<= 0.3.5CVE-2025-6784Vulnerability Overview
The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 0.3.5 via the 'code-engine' shortcode. This is due to the plugin not restricting access to the code injecting functionality of the plugin. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
Technical Analysis
REMEDIATION: Update to version 0.3.6, or a newer patched version --- IDENTIFIER: CWE-77 (Improper Neutralization of Special Elements used in a Command ('Command Injection')) The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
External References
Vulnerability data © Defiant, Inc., provided under the Wordfence Intelligence T&C