The Content No Cache plugin, version 0.1.4 and earlier, is vulnerable to an improper control of code generation (Code Injection) that enables attackers to arbitrarily invoke PHP functions. This flaw, classified as CWE‑94, allows an attacker to inject and execute arbitrary PHP code within the WordPress environment, potentially compromising the confidentiality, integrity, and availability of the site. The primary impact is Remote Code Execution, which can lead to full site takeover if the plugin is accessed by a privileged user or if external input can reach the vulnerable logic.

This vulnerability affects the WordPress plugin Content No Cache, developed by Jose Mortellaro. The flaw exists in all releases through version 0.1.4; no higher version is specified in the CNA data, so any deployment using the affected range is at risk.

The CVSS score of 8.6 indicates a high severity level, while the EPSS score of less than 1% reflects a low current exploit probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves exploitation of exposed plugin input or parameters that allow arbitrary function calls. Without a vendor patch, the risk remains significant for any site running the vulnerable plugin, and attackers could trigger code injection remotely if the plugin accepts user-controlled data.