Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Themeisle Woody ad snippets insert-php allows Code Injection.This issue affects Woody ad snippets: from n/a through <= 2.7.1.
Published: 2026-03-25
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The flaw is an improper control of code generation in the WordPress Woody ad snippets plug‑in’s insert‑php feature, allowing an attacker to inject and execute arbitrary PHP code. This results in full compromise of the web application, affecting confidentiality, integrity, and availability. The weakness is classified under CWE‑94, Code Injection.

Affected Systems

WordPress sites that have the Woody ad snippets plug‑in deployed with versions up to and including 2.7.1 are affected. The vulnerability is limited to installations where the insert‑php capability is enabled.

Risk and Exploitability

The CVSS score of 9.9 marks this as a critical vulnerability. EPSS and KEV data are unavailable, but the nature of the flaw suggests a high probability of exploitation in environments where the plug‑in remains active. The likely attack vector is through the insert‑php interface, probably requiring authenticated access to the WordPress admin area. The impact is full remote code execution on the affected host.

Generated by OpenCVE AI on March 25, 2026 at 22:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Woody ad snippets plug‑in to a version newer than 2.7.1 if one is available.
  • If an upgrade cannot be performed immediately, deactivate or delete the insert‑php functionality to prevent code injection.
  • Verify that no malicious PHP code has been placed via the insert‑php field and remove any such code.
  • Restrict administrative access to the plugin settings to trusted users only.

Generated by OpenCVE AI on March 25, 2026 at 22:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Themeisle
Themeisle woody Ad Snippets
Wordpress
Wordpress wordpress
Vendors & Products Themeisle
Themeisle woody Ad Snippets
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in Themeisle Woody ad snippets insert-php allows Code Injection.This issue affects Woody ad snippets: from n/a through <= 2.7.1.
Title WordPress Woody ad snippets plugin <= 2.7.1 - Remote Code Execution (RCE) vulnerability
Weaknesses CWE-94
References

Subscriptions

Themeisle Woody Ad Snippets
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-25T19:54:30.837Z

Reserved: 2026-02-02T12:52:55.300Z

Link: CVE-2026-25366

cve-icon Vulnrichment

Updated: 2026-03-25T19:54:16.374Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:47.560

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-25366

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:45Z

Weaknesses