This vulnerability occurs because the Insert PHP Code Snippet plugin does not correctly enforce authorization controls when inserting or editing code snippets. As a result, an attacker who gains access to a user account that the plugin mistakenly treats as having administrator privileges could upload arbitrary PHP code. The flaw is classified as Missing Authorization, which means the attacker can achieve code execution on the WordPress site if the plugin accepts the injected payload. There is no indication that the plugin can be exploited without user authentication, so the impact is limited to accounts that the attacker can compromise or that the site already trusts.

The affected product is f1logic’s Insert PHP Code Snippet plugin for WordPress. Versions from the earliest available release through 1.4.3 are impacted. Any WordPress installation running the plugin at or below 1.4.3 is affected, regardless of WordPress core version.

The CVSS score of 4.3 indicates moderate severity. The EPSS score of less than 1% suggests that currently, exploitation likelihood is low. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a local or site‑wide user with elevated privileges; an attacker must first authenticate with an account that the plugin grants the Insert PHP Code Snippet capability. Once authenticated, the attacker can upload code that will run on the web server, potentially compromising the entire site.