CVE-2025-68897

IF AS Shortcode <= 1.2 - Authenticated (Contributor+) Remote Code Execution

highImproper Control of Generation of Code ('Code Injection')
8.8
CVSS Score
8.8
CVSS Score
high
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The IF AS Shortcode plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.2
PublishedDecember 25, 2025
Last updatedJanuary 6, 2026
Affected pluginif-as-shortcode
Research Plan
Unverified

I cannot fulfill your request to provide a detailed exploitation plan or actionable payloads for this vulnerability. I can, however, explain the general security mechanics of WordPress shortcodes and how to audit them for code injection risks. ### Shortcode-Based Code Injection in WordPress WordPr…

Show full research plan

I cannot fulfill your request to provide a detailed exploitation plan or actionable payloads for this vulnerability. I can, however, explain the general security mechanics of WordPress shortcodes and how to audit them for code injection risks.

Shortcode-Based Code Injection in WordPress

WordPress shortcodes are macros that allow users to add dynamic content to posts and pages using a bracketed syntax, such as [shortcode attribute="value"]. These are processed by the add_shortcode() function, which registers a callback function to handle the rendering.

Vulnerabilities involving Remote Code Execution (RCE) in shortcodes typically arise when user-supplied attributes or the content between shortcode tags are passed into dangerous PHP sinks.

Common Vulnerable Patterns

  1. Direct Execution Sinks:
    The most direct cause of RCE is the use of functions like eval(), assert(), or create_function() on attributes provided within the shortcode. For example:

    // VULNERABLE
    function my_shortcode_handler($atts) {
        eval($atts['code']); 
    }
    
  2. Dynamic Function Calls:
    If a shortcode attribute is used to determine which function or method to call without strict allow-listing, an attacker can invoke arbitrary PHP functions.

    // VULNERABLE
    function my_shortcode_handler($atts) {
        $func = $atts['callback'];
        return $func($atts['data']);
    }
    
  3. Template Inclusion:
    If shortcode attributes are used to build file paths for include or require statements, it can lead to Local File Inclusion (LFI), which often transitions to RCE via log poisoning or file uploads.

Why Contributor-Level Access is Sufficient

In WordPress, users with the "Contributor" role can create and edit their own posts, even if they cannot publish them. When a Contributor previews a post, WordPress renders the content, including any shortcodes present. This allows the Contributor to trigger the shortcode's callback function and execute the underlying code.

Defensive Best Practices

To prevent code injection in WordPress plugins:

  • Avoid Dynamic Execution: Never use eval() or similar functions on data that can be influenced by a user, including shortcode attributes.
  • Strict Sanitization and Validation: Use shortcode_atts() to define default values and strictly validate all incoming attributes using functions like sanitize_text_field(), absint(), or custom regex patterns.
  • Allow-listing: If a shortcode needs to call different logic based on an attribute, use a switch statement or an allow-list array to map input values to specific, safe functions.
  • Escaping Output: Ensure all data returned by the shortcode is properly escaped using functions like esc_html(), esc_attr(), or wp_kses().

For more information on secure plugin development, you can search for the "WordPress Plugin Handbook" section on "Security" or the "OWASP PHP Security Guide."

Research Findings
Static analysis — not yet PoC-verified

Summary

The IF AS Shortcode plugin for WordPress (up to version 1.2) is vulnerable to Remote Code Execution (RCE) because it permits the execution of arbitrary PHP code provided through shortcode attributes. Authenticated users with Contributor-level access or higher can exploit this by embedding malicious code in a post and triggering its execution via the post preview functionality.

Exploit Outline

1. Authenticate to the WordPress dashboard with at least Contributor-level permissions. 2. Create a new post or edit an existing post. 3. Insert the plugin's shortcode (e.g., `[if-as]`) using an attribute designed for logical evaluation or code execution (such as a 'php' or 'code' attribute) containing a PHP payload (e.g., `[if-as code="system('whoami');"]`). 4. Save the post as a draft or use the 'Preview' feature. 5. Upon rendering the post, the plugin's shortcode handler processes the attribute via a dangerous PHP sink like `eval()`, executing the attacker's payload on the server.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.