CVE-2026-25366
Code Injection in Woody Ad Snippets Plugin
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| themeisle | woody_ad_snippets | to 2.7.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25366 is a Remote Code Execution (RCE) vulnerability in the WordPress plugin "Woody ad snippets" versions up to and including 2.7.1.
This vulnerability allows attackers with at least contributor or developer privileges to execute arbitrary commands on the affected website.
It is classified under the OWASP Top 10 category A3: Injection, meaning it involves improper control of code generation leading to code injection.
The flaw can lead to attackers gaining backdoor access and full control over the site.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including allowing attackers to execute arbitrary commands on your website.
Attackers could gain backdoor access and full control over your site, potentially leading to data theft, site defacement, or use of your site for malicious purposes.
Because of its high CVSS score of 9.9, it is considered highly dangerous and likely to be exploited in mass attack campaigns targeting many websites.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability allows attackers with contributor or developer privileges to execute arbitrary commands on the affected WordPress site through the Woody ad snippets plugin up to version 2.7.1.
Detection typically involves checking the version of the Woody ad snippets plugin installed on your WordPress site to see if it is version 2.7.1 or earlier, as these are vulnerable.
You can detect the vulnerable plugin version by running commands to list installed WordPress plugins and their versions, for example:
- Using WP-CLI: wp plugin list | grep woody-ad-snippets
- Manually checking the plugin version in the WordPress admin dashboard under Plugins.
Additionally, monitoring for suspicious activity such as unexpected PHP code execution or unusual web requests targeting the plugin's functionality may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The most immediate and effective mitigation step is to update the Woody ad snippets plugin to version 2.7.2 or later, where the vulnerability has been patched.
If immediate updating is not possible, applying mitigation rules provided by Patchstack to block attacks targeting this vulnerability is recommended.
Users are also advised to seek assistance from their hosting providers or web developers to implement temporary protections or monitoring.
Enforcing least privilege by limiting contributor or developer access to trusted users can reduce the risk of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-25366 is a critical Remote Code Execution vulnerability that allows attackers with certain privileges to execute arbitrary commands and potentially gain full control over affected websites. Such unauthorized access and control can lead to data breaches, unauthorized data manipulation, and exposure of sensitive information.
This kind of security breach can negatively impact compliance with common standards and regulations such as GDPR and HIPAA, which require organizations to protect personal and sensitive data from unauthorized access and ensure the integrity and confidentiality of that data.
Failure to address this vulnerability promptly could result in violations of these regulations, leading to legal penalties, reputational damage, and loss of trust.