Description
The Code Snippets plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.9.1. This is due to the plugin's use of extract() on attacker-controlled shortcode attributes within the `evaluate_shortcode_from_flat_file` method, which can be used to overwrite the `$filepath` variable and subsequently passed to require_once. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server via the `[code_snippet]` shortcode using PHP filter chains granted they can trick an administrator into enabling the "Enable file-based execution" setting and creating at least one active Content snippet.
Published: 2025-11-19
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated PHP Code Injection
Action: Patch Immediately
AI Analysis

Impact

The vulnerability arises from the misuse of extract() on shortcode attributes within the evaluate_shortcode_from_flat_file method, allowing an authenticated Contributor‑plus user to overwrite the $filepath variable and subsequently force the plugin to require an attacker‑controlled file. This PHP code injection (CWE‑94) can execute arbitrary server‑side code, enabling the attacker to compromise secrets, install backdoors, or pivot to further attacks.

Affected Systems

The affected product is the WordPress Code Snippets plugin, versions up to and including 3.9.1. Sites running these versions with the "Enable file‑based execution" setting enabled and at least one active content snippet are susceptible. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 8 highlights the high impact of code execution for authenticated users, while the EPSS score of less than 1% indicates a low overall likelihood of exploitation. The flaw is not in the CISA KEV catalog. Exploitation requires an authenticated Contributor or higher, the activation of the file‑based execution setting, and an active snippet, limiting the attack surface but remaining a serious risk for exposed WordPress sites.

Generated by OpenCVE AI on April 21, 2026 at 18:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the WordPress plugin repository or the vendor’s website for an official patch or newer release of the Code Snippets plugin.
  • Disable the "Enable file‑based execution" setting if it is not required for site functionality.
  • Remove or deactivate any active content snippets that are not necessary for site operation.

Generated by OpenCVE AI on April 21, 2026 at 18:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 21 Nov 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Codesnippets
Codesnippets code Snippets
Wordpress
Wordpress wordpress
Vendors & Products Codesnippets
Codesnippets code Snippets
Wordpress
Wordpress wordpress

Wed, 19 Nov 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 19 Nov 2025 08:00:00 +0000

Type Values Removed Values Added
Description The Code Snippets plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.9.1. This is due to the plugin's use of extract() on attacker-controlled shortcode attributes within the `evaluate_shortcode_from_flat_file` method, which can be used to overwrite the `$filepath` variable and subsequently passed to require_once. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server via the `[code_snippet]` shortcode using PHP filter chains granted they can trick an administrator into enabling the "Enable file-based execution" setting and creating at least one active Content snippet.
Title Code Snippets <= 3.9.1 - Authenticated (Contributor+) PHP Code Injection via extract() and PHP Filter Chains
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Codesnippets Code Snippets
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:21:28.619Z

Reserved: 2025-11-11T17:05:21.590Z

Link: CVE-2025-13035

cve-icon Vulnrichment

Updated: 2025-11-19T17:20:59.227Z

cve-icon NVD

Status : Deferred

Published: 2025-11-19T08:15:51.780

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13035

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:15:36Z

Weaknesses