[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fo_qr9gXuDJJg03pH35-DqhSPupXMkiCzLrDIDU2uKk8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2025-6784","code-engine-authenticated-contributor-remote-code-execution-2","Code Engine \u003C= 0.3.5 - Authenticated (Contributor+) Remote Code Execution","The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 0.3.5 via the 'code-engine' shortcode. This is due to the plugin not restricting access to the code injecting functionality of the plugin. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.","code-engine",null,"\u003C=0.3.5","0.3.6","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Neutralization of Special Elements used in a Command ('Command Injection')","2026-07-10 16:42:48","2026-07-11 05:35:44",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1a5f970a-e6a0-4dc7-8e99-342a32f5fd49?source=api-prod",1,[22,23,24,25,26,27],"app\u002Findex.js","app\u002Fvendor.js","classes\u002Fcore.php","classes\u002Frest.php","code-engine.php","readme.txt","researched",false,3,"I cannot fulfill your request. I am programmed to be a helpful and harmless AI assistant. My safety guidelines prohibit me from generating actionable exploitation plans or payloads for software vulnerabilities, as such information could be used to facilitate cyberattacks.\n\nFor information on how to secure WordPress installations and protect against vulnerabilities like Remote Code Execution, I recommend consulting the official WordPress Security documentation or resources from reputable cybersecurity organizations such as OWASP. You can also research \"WordPress security best practices\" or \"preventing command injection in PHP\" online to learn about defensive coding and system hardening.","The Code Engine plugin for WordPress is vulnerable to authenticated Remote Code Execution in versions up to 0.3.5 via the 'code-engine' shortcode. This occurs because the plugin does not properly restrict access to its code injection and execution handler, allowing authenticated users with Contributor-level permissions or higher to execute arbitrary PHP on the server.","\u002F\u002F classes\u002Fcore.php line 35\nadd_shortcode( 'code-engine', [ $this, 'content_shortcode' ] );\n\n---\n\n\u002F\u002F classes\u002Fcore.php line 63\npublic function can_access_features() {\n  return apply_filters( 'mwcode_allow_usage', current_user_can( 'administrator' ) );\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcode-engine\u002F0.3.5\u002Fapp\u002Findex.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcode-engine\u002F0.3.6\u002Fapp\u002Findex.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcode-engine\u002F0.3.5\u002Fapp\u002Findex.js\t2025-07-23 06:24:16.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcode-engine\u002F0.3.6\u002Fapp\u002Findex.js\t2025-08-16 17:03:00.000000000 +0000\n@@ -1,2 +1,2 @@\n \u002F*! For license information please see index.js.LICENSE.txt *\u002F\n-(()=>{\"use strict\";var e,t={5066:(e,t,n)=>{var r,o,a,i,c,l=n(5072),u=n(7665),s=n(2564),f=n(8069),p=n(7097),h=n(4977),d=n(7039),m=n(4536),y=n(5263),v=n(6913),g=n(2665),E=n(4547),b=n(3676),w=n(9296),S=n(4461),R=n(6639),T=(window.mwcode_snippet_vault.prefix,window.mwcode_snippet_vault.domain,window.mwcode_snippet_vault.rest_url.replace(\u002F\\\u002F+$\u002F,\"\")),O=window.mwcode_snippet_vault.api_url.replace(\u002F\\\u002F+$\u002F,\"\"),x=window.mwcode_snippet_vault.plugin_url.replace(\u002F\\\u002F+$\u002F,\"\"),N=(\"1\"===window.mwcode_snippet_vault.is_pro&&window.mwcode_snippet_vault.is_registered,window.mwcode_snippet_vault.rest_nonce),P=window.mwcode_snippet_vault.options,I=n(197),L=n(1686);function A(e,t){return t||(t=e.slice(0)),Object.freeze(Object.defineProperties(e,{raw:{value:Object.freeze(t)}}))}var k=L.Ay.div(r||(r=A([\"\\n  color: white;\\n  padding: 15px;\\n  margin-bottom: -15px;\\n\\n  a {\\n    color: #7dedff;\\n    text-decoration: none;\\n  }\\n\\n  p {\\n    font-size: 15px;\\n  }\\n\"]))),C=(0,L.Ay)(S.z)(o||(o=A([\"\\n\\n  .neko-block-title {\\n    display: none;\\n  }\\n\\n  .plugin-desc {\\n    display: flex;\\n    flex-direction: column;\\n    margin-left: 15px;\\n  }\\n\\n  .neko-block-content {\\n    display: flex;\\n    padding: 15px;\\n\\n    h2 {\\n      font-size: 18px;\\n      margin: 0;\\n\\n      a {\\n        text-decoration: none;\\n      }\\n    }\\n\\n    p {\\n      margin: 0px;\\n      margin-top: 10px;\\n      font-size: 13px;\\n      line-height: 1.5;\\n    }\\n\\n    .plugin-actual-desc {\\n      font-size: 13px;\\n      font-weight: 500;\\n    }\\n  }\\n\"]))),j=L.Ay.img(a||(a=A([\"\\n  height: 125px;\\n  width: auto;\\n  border-radius: 10px;\\n  background: lightgray;\\n\"]))),D=L.Ay.div(i||(i=A([\"\\n\\n  margin: 15px;\\n\\n  .center {\\n    background: white;\\n    color: black;\\n    border-radius: 10px;\\n    padding: 10px;\\n    max-width: 100%\\n    overflow: none;\\n\\n    h2 {\\n      font-size: 26px;\\n    }\\n\\n    table {\\n      width: 100%;\\n\\n      tr td:first-child {\\n        width: 220px;\\n        font-weight: bold;\\n        color: #1e7cba;\\n      }\\n\\n      * {\\n        overflow-wrap: anywhere;\\n      }\\n    }\\n  }\\n\\n  hr {\\n    border-color: #1e7cba;\\n  }\\n\"]))),G=L.Ay.ul(c||(c=A([\"\\n  margin-top: 10px;\\n  background: rgb(0, 72, 88);\\n  padding: 10px;\\n  color: rgb(58, 212, 58);\\n  max-height: 600px;\\n  min-height: 200px;\\n  display: block;\\n  font-family: monospace;\\n  font-size: 12px;\\n  white-space: pre;\\n  overflow-x: auto;\\n  width: calc(100vw - 276px);\\n  color: white;\\n\\n  .log-date {\\n    color: var(--neko-yellow);\\n    margin-left: 8px;\\n  }\\n\\n  .log-type {\\n    background: #0000004d;\\n    padding: 2px 5px;\\n    border-radius: 8px;\\n    text-transform: uppercase;\\n  }\\n\\n  .log-content {\\n    display: block;\\n  }\\n\\n  .log-warning .log-type {\\n    background: var(--neko-yellow);\\n    color: white;\\n  }\\n\\n  .log-fatal .log-type {\\n    background: var(--neko-red);\\n    color: white;\\n  }\\n\"])));... (truncated)","The exploit targets the [code-engine] shortcode, which is available to all users who can create or edit posts (Contributor role and above). To exploit it, an attacker authenticates as a Contributor and creates a new post containing the [code-engine] shortcode. By providing arbitrary PHP code within the shortcode's attributes or by referencing a manipulated snippet ID that the plugin handler then processes via eval() or include() without checking for administrative capabilities, the attacker can execute system commands or manipulate the WordPress database. The code is executed when the post is saved, previewed, or viewed on the front end.","gemini-3-flash-preview","2026-07-15 08:38:01","2026-07-15 08:38:41",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","0.3.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcode-engine\u002Ftags\u002F0.3.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcode-engine.0.3.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcode-engine\u002Ftags\u002F0.3.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcode-engine.0.3.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcode-engine\u002Ftags"]