The vulnerability in the WPMasterToolKit plugin allows authenticated users with Contributor-level access to inject and execute arbitrary PHP code through the Code Snippets feature. This code injection is a weakness that can lead to remote code execution, privilege escalation to higher WordPress roles, and eventual full site compromise. The weakness is categorized as CWE‑94, indicating an injection of malicious code without proper validation or sanitization.

All releases of the WPMasterToolKit (WPMTK) WordPress plugin up to version 2.13.0 are affected. The issue exists in the core module handling code snippets and is present in the plugin files historical and trunk versions referenced in the advisory. No other products or vendors are listed as affected.

The CVSS score of 5.3 places the vulnerability in the medium severity range, and the EPSS score of less than 1% suggests a low yet non‑zero probability of exploitation. When combined with the fact that the attack vector requires an authenticated Contributor or higher, the risk is mitigated by the need for user access but remains significant if such users exist on the site. The vulnerability is not listed in the CISA KEV catalog, further indicating that actively exploited instances are not currently documented. An attacker would exploit the plugin's lack of capability checks by submitting malicious PHP through the user interface and then executing it via the same interface, allowing code execution on the server.