Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Yannick Lefebvre Modal Dialog modal-dialog allows Remote Code Inclusion.This issue affects Modal Dialog: from n/a through <= 3.5.16.
Published: 2026-03-13
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in the Modal Dialog plugin arises from improper control of code generation, a form of code injection. This flaw enables an attacker to insert and execute arbitrary PHP code on the WordPress site, resulting in full remote code execution. The weakness is identified as CWE-94, indicating a failure to validate or sanitize code-generating input.

Affected Systems

Affected systems are WordPress installations using the Modal Dialog plugin created by Yannick Lefebvre. All releases from the earliest available version up to and including 3.5.16 are impacted, as stated by the vendor’s range specification.

Risk and Exploitability

The issue carries a high CVSS score of 9.1, indicating critical severity. Although the EPSS score is low (< 1%), the potential for catastrophic compromise makes the risk significant. The vulnerability is not listed in the CISA KEV catalog, and no official workaround has been provided. Based on the description, it is inferred that the attack vector is remote, likely through the plugin’s interface where malicious input can be injected.

Generated by OpenCVE AI on March 17, 2026 at 16:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Modal Dialog plugin to a version newer than 3.5.16 once a patch is released.

Generated by OpenCVE AI on March 17, 2026 at 16:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Ylefebvre
Ylefebvre modal Dialog
Vendors & Products Wordpress
Wordpress wordpress
Ylefebvre
Ylefebvre modal Dialog

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in Yannick Lefebvre Modal Dialog modal-dialog allows Remote Code Inclusion.This issue affects Modal Dialog: from n/a through <= 3.5.16.
Title WordPress Modal Dialog plugin <= 3.5.16 - Remote Code Execution (RCE) vulnerability
Weaknesses CWE-94
References

Subscriptions

Wordpress Wordpress
Ylefebvre Modal Dialog
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:16:00.174Z

Reserved: 2026-03-12T11:10:53.774Z

Link: CVE-2026-32367

cve-icon Vulnrichment

Updated: 2026-03-16T14:43:23.995Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:50.897

Modified: 2026-03-16T15:16:23.027

Link: CVE-2026-32367

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:58:50Z

Weaknesses