CVE-2025-13035

HIGH

WordPress Code Snippets <3.9.1 - Code Injection

Title source: llm

Description

The Code Snippets plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.9.1. This is due to the plugin's use of extract() on attacker-controlled shortcode attributes within the `evaluate_shortcode_from_flat_file` method, which can be used to overwrite the `$filepath` variable and subsequently passed to require_once. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server via the `[code_snippet]` shortcode using PHP filter chains granted they can trick an administrator into enabling the "Enable file-based execution" setting and creating at least one active Content snippet.

References (4)

Core 4

Core References

Product

https://plugins.trac.wordpress.org/browser/code-snippets/tags/3.8.1/php/front-end/class-front-end.php#L295

Product

https://plugins.trac.wordpress.org/browser/code-snippets/tags/3.8.1/php/front-end/class-front-end.php#L296

Product

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3397635%40code-snippets%2Ftrunk&old=3395415%40code-snippets%2Ftrunk&sfp_email=&sfph_mail=#file23

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/c7c7247c-2fc3-46ff-858e-2242b7211476?source=cve

Scores

CVSS v3 8.0

EPSS 0.0031

EPSS Percentile 22.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (1)

codesnippetspro/Code Snippets < 3.9.1

Published Nov 19, 2025

Tracked Since Feb 18, 2026