Does Code Engine have any unpatched vulnerabilities?

No. All known vulnerabilities in Code Engine have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Code Engine compatible with WordPress 6.9.4?

According to WordPress.org data, Code Engine 0.4.3 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Code Engine updated?

Code Engine was last updated on Mar 9, 2026. Frequent updates are generally a positive security signal.

What is Code Engine's security score?

Code Engine has a WP-Safety security score of 97/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Code Engine Security & Risk Analysis

wordpress.org/plugins/code-engine

Versatile plugin that not only manages PHP code snippets but also acts as a powerful bridge connecting WordPress, AI, and external digital platforms.

700 active installs v0.4.3 PHP + WP 6.0+ Updated Mar 9, 2026

aicodephprestsnippet

A · Safe

CVEs total2

Unpatched0

Last CVEAug 7, 2025

Plugin page Download

Safety Verdict

Is Code Engine Safe to Use in 2026?

Generally Safe

Score 97/100

Code Engine has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Aug 7, 2025Updated 25d ago

Risk Assessment

The "code-engine" v0.4.3 plugin exhibits a mixed security posture. While it demonstrates good practices such as a low attack surface with a single shortcode entry point and generally good output escaping (86%) and prepared statement usage (67% for SQL queries), there are notable concerns. The presence of 3 instances of `preg_replace` with the `/e` modifier is a significant red flag, as this is a known vulnerability vector for arbitrary code execution. The vulnerability history, with 2 known CVEs, including a past high-severity vulnerability related to Code Injection and Cross-site Scripting, further elevates the risk. Although there are no currently unpatched CVEs and taint analysis showed no critical or high severity flows, the historical pattern suggests potential weaknesses in input sanitization and output neutralization that could be exploited.

Overall, the plugin has strengths in limiting its attack surface and implementing some security best practices. However, the identified dangerous function usage (`preg_replace(/e)`) and the historical vulnerability types warrant caution. The absence of any taint flows in the static analysis might be due to the limited scope of the analysis or the specific code paths tested, and does not fully mitigate the risk posed by the `preg_replace` usage and past vulnerabilities. Users should be aware of these potential weaknesses and ensure the plugin is kept up-to-date with any future patches.

Key Concerns

Dangerous function usage (preg_replace(/e))
History of high-severity vulnerability (Code Injection/XSS)
SQL queries without prepared statements

Vulnerabilities

Code Engine Security Vulnerabilities

CVEs by Year

2 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

2 total CVEs

CVE-2025-48169high · 8.8Improper Control of Generation of Code ('Code Injection')

Code Engine <= 0.3.3 - Authenticated (Contributor+) Remote Code Execution

Aug 7, 2025 Patched in 0.3.4 (5d)

CVE-2025-50043medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Code Engine <= 0.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 19, 2025 Patched in 0.3.3 (37d)

Code Analysis

Analyzed Mar 16, 2026

Code Engine Code Analysis

Dangerous Functions

Raw SQL Queries

18 prepared

Unescaped Output

24 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

preg_replace(/e)preg_replace( '/eclasses\core.php:300

preg_replace(/e)preg_replace( '/eclasses\core.php:406

preg_replace(/e)preg_replace( '/eclasses\core.php:408

SQL Query Safety

67% prepared27 total queries

Output Escaping

86% escaped28 total outputs

Attack Surface

Code Engine Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[code-engine] classes\core.php:36

WordPress Hooks 27

actionadmin_menuclasses\admin.php:11

actionadmin_enqueue_scriptsclasses\admin.php:27

actionplugins_loadedclasses\core.php:38

actionadmin_noticesclasses\init.php:8

actionplugins_loadedclasses\load.php:4

actionwp_enqueue_scriptsclasses\load.php:200

actionadmin_enqueue_scriptsclasses\load.php:201

actioninitclasses\mcp.php:11

filtermwai_mcp_toolsclasses\mcp.php:21

filtermwai_mcp_callbackclasses\mcp.php:24

filtercron_schedulesclasses\modules\cron.php:7

actioninitclasses\modules\cron.php:8

actionrest_api_initclasses\rest.php:19

filtermwcode_allow_public_apiclasses\rest.php:183

actionadmin_noticescommon\admin.php:72

filterplugin_row_metacommon\admin.php:77

filteredd_sl_api_request_verify_sslcommon\admin.php:78

actioninitcommon\admin.php:96

actionadmin_menucommon\admin.php:153

filteradmin_footer_textcommon\admin.php:158

actionadmin_footercommon\admin.php:218

actionadmin_headcommon\admin.php:456

actionadmin_noticescommon\news.php:43

filtersafe_style_csscommon\news.php:44

actionadmin_noticescommon\ratings.php:33

filtersafe_style_csscommon\ratings.php:34

actionrest_api_initcommon\rest.php:14

Maintenance & Trust

Code Engine Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 9, 2026

PHP min version

Downloads12K

Community Trust

Rating100/100

Number of ratings8

Active installs700

Alternatives

Code Engine Alternatives

Snippet Vault

snippet-vault

Versatile plugin that not only manages PHP code snippets but also acts as a powerful bridge connecting WordPress, AI, and external digital platforms.

200 No CVEs

WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager

insert-headers-and-footers

Easily add code snippets in WordPress. Insert header & footer scripts, add PHP code snippets with conditional logic, insert ads pixel code, and more.

3.0M 3 CVEs

Code Snippets

code-snippets

An easy, clean and simple way to enhance your site with code snippets.

1.0M 7 CVEs

Header Footer Code Manager

header-footer-code-manager

Easily add tracking code snippets, conversion pixels, or other scripts required by third party services for analytics, marketing, or chat features.

600K 4 CVEs

Insert PHP Code Snippet

insert-php-code-snippet

Add PHP code to your pages and posts easily using shortcodes.

100K 3 CVEs

Developer Profile

Code Engine Developer Profile

Jordy Meow

27 plugins · 371K total installs

trust score

Avg Security Score

92/100

Avg Patch Time

372 days

View full developer profile

Detection Fingerprints

How We Detect Code Engine

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/code-engine/app/index.js/wp-content/plugins/code-engine/app/vendor.js

Script Paths

https://fonts.googleapis.com/css2?family=Lato:wght@100;300;400;700;900&display=swap

Version Parameters

code-engine/app/index.js?ver=code-engine/app/vendor.js?ver=

HTML / DOM Fingerprints

Data Attributes

mwcode-admin-settings

JS Globals

mwcode_snippet_vault

REST Endpoints

/wp-json/code-engine/v1

FAQ