CVE-2025-14166
PHP Code Injection in WPMasterToolKit Plugin Enables RCE
Publication date: 2025-12-12
Last updated on: 2025-12-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpres | wpmastertoolkit | 2.13.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users with Contributor-level access and above to execute arbitrary PHP code on the server, leading to remote code execution, privilege escalation, and complete site compromise. Such a compromise can result in unauthorized access to sensitive data, potentially violating data protection regulations like GDPR and HIPAA. However, the provided resources do not explicitly discuss compliance impacts or regulatory considerations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability on your WordPress system, you should check if the WPMasterToolKit plugin is installed and if its version is 2.13.0 or earlier, as these versions are vulnerable. You can verify the plugin version via the WordPress admin dashboard or by checking the plugin files directly. Additionally, review user roles and permissions to see if non-administrator users (Contributor-level or above) have access to the Code Snippets feature, which should be restricted. Since the vulnerability involves unauthorized PHP code execution through the Code Snippets feature, you can look for suspicious or unexpected code snippets in the plugin's custom post type 'wpmtk_code_snippets'. Suggested commands (run on the server hosting WordPress): 1. Check plugin version: ```bash grep "Version:" wp-content/plugins/wpmastertoolkit/readme.txt ``` 2. List code snippet posts (requires WP-CLI): ```bash wp post list --post_type=wpmtk_code_snippets --fields=ID,post_title,post_author ``` 3. Review snippet content for suspicious PHP code (replace <ID> with snippet ID): ```bash wp post get <ID> --field=post_content ``` 4. Check user roles and capabilities (to identify if non-admin users can edit snippets): ```bash wp user list --role=contributor ``` Then verify if these users have access to the Code Snippets UI. Monitoring network traffic for unusual POST requests to the plugin's admin pages related to code snippet creation or editing could also help detect exploitation attempts, but specific network commands are not provided in the resources. [1, 4, 2]
Can you explain this vulnerability to me?
The WPMasterToolKit WordPress plugin up to version 2.13.0 allows users with Contributor-level access or higher to inject and execute arbitrary PHP code via the Code Snippets feature because it lacks proper capability checks. This leads to remote code execution, privilege escalation, and full site compromise.
How can this vulnerability impact me? :
An attacker with Contributor-level access can execute arbitrary PHP code on the server, which can result in remote code execution, privilege escalation, and complete compromise of the WordPress site.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the WPMasterToolKit plugin to a version later than 2.13.0 where the issue is fixed. Additionally, restrict user roles to prevent Contributor-level and Author-level users from accessing the Code Snippets feature until the update is applied. Review user permissions and monitor for any suspicious PHP code execution attempts.