Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Jordy Meow Code Engine code-engine allows Remote Code Inclusion.This issue affects Code Engine: from n/a through <= 0.3.3.
Published: 2025-08-20
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of code generation (Code Injection) that allows a remote attacker to include arbitrary code in the WordPress Code Engine plugin. This flaw enables execution of attacker‑supplied code with the privileges of the web server, leading to full compromise of the affected site.

Affected Systems

The affected product is Jordy Meow’s Code Engine plug‑in for WordPress, versions 0.3.3 and earlier. Any WordPress installation deploying these versions is vulnerable.

Risk and Exploitability

The CVSS score of 9.9 indicates a critical severity, but the EPSS score of less than 1% suggests a very low probability of exploitation at the current time. The vulnerability is not yet listed in the CISA KEV catalog. Exploitation would require a remote attacker to inject code through the plugin’s code‑generation functionality, likely via a crafted HTTP request or form submission within the WordPress admin interface.

Generated by OpenCVE AI on April 30, 2026 at 15:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Code Engine plug‑in to a patched version newer than 0.3.3.
  • If an update is not immediately available, disable or remove the Code Engine plug‑in to eliminate the attack surface.
  • Implement monitoring for unexpected code execution or anomalous HTTP requests that may indicate attempted exploitation, and review server logs for suspicious activity.

Generated by OpenCVE AI on April 30, 2026 at 15:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25336 Improper Control of Generation of Code ('Code Injection') vulnerability in Jordy Meow Code Engine allows Remote Code Inclusion. This issue affects Code Engine: from n/a through 0.3.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in Jordy Meow Code Engine allows Remote Code Inclusion. This issue affects Code Engine: from n/a through 0.3.3. Improper Control of Generation of Code ('Code Injection') vulnerability in Jordy Meow Code Engine code-engine allows Remote Code Inclusion.This issue affects Code Engine: from n/a through <= 0.3.3.
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Thu, 21 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Jordy Meow
Jordy Meow code Engine
Wordpress
Wordpress wordpress
Vendors & Products Jordy Meow
Jordy Meow code Engine
Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in Jordy Meow Code Engine allows Remote Code Inclusion. This issue affects Code Engine: from n/a through 0.3.3.
Title WordPress Code Engine Plugin <= 0.3.3 - Remote Code Execution (RCE) Vulnerability
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Jordy Meow Code Engine
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:53.144Z

Reserved: 2025-05-15T18:02:16.098Z

Link: CVE-2025-48169

cve-icon Vulnrichment

Updated: 2025-08-20T15:36:08.677Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:32.857

Modified: 2026-04-23T15:30:55.467

Link: CVE-2025-48169

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:00:13Z

Weaknesses