Improper Control of Generation of Code, also known as Code Injection, allows an attacker to cause the PDF 2 Post plugin to execute arbitrary PHP code. The vulnerability is a classic CWE‑94 flaw where user-supplied input is used to generate code that is later evaluated. Successful exploitation would give the attacker full control over the WordPress installation, enabling data exfiltration, site defacement, or installation of additional malware. The vulnerability presents a high impact on confidentiality, integrity, and availability for any site running the plugin.

The affected vendor is termel, product PDF 2 Post, version 2.4.0 or earlier. The advisory notes that all releases from the earliest known through <=2.4.0 are vulnerable. No explicit version beyond 2.4.0 is mentioned as affected, implying that versions newer than 2.4.0 are either patched or not yet evaluated.

The CVSS score of 9.9 reflects a catastrophic level of risk, while the EPSS of <1% indicates that the exploitation probability is low at the moment of analysis. The vulnerability is not yet listed in the CISA KEV catalogue. Attackers would most likely target the plugin via crafted HTTP requests or automated code injection attempts aimed at endpoints that accept user input for PDF generation. The lack of access control or input validation around these endpoints is the root cause.