CVE-2025-6784
Received Received - Intake

Remote Code Execution in Code Engine WordPress Plugin

Vulnerability report for CVE-2025-6784, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-11

Last updated on: 2026-07-11

Assigner: Wordfence

Description

The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 0.3.5 via the 'code-engine' shortcode. This is due to the plugin not restricting access to the code injecting functionality of the plugin. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-11
Last Modified
2026-07-11
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
code_engine code_engine to 0.3.5 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Code Engine plugin for WordPress has a vulnerability that allows Remote Code Execution (RCE) in all versions up to and including 0.3.5. This occurs through the 'code-engine' shortcode because the plugin does not restrict access to its code injecting functionality.

As a result, authenticated attackers with Contributor-level access or higher can execute arbitrary code on the server.

Impact Analysis

This vulnerability can have severe impacts because it allows attackers with relatively low privileges (Contributor-level access) to execute arbitrary code on the server.

  • Complete compromise of the server hosting the WordPress site.
  • Potential data theft or data loss.
  • Defacement or unauthorized modification of website content.
  • Use of the server for further attacks or malicious activities.
Mitigation Strategies

To mitigate this vulnerability, you should update the Code Engine plugin for WordPress to a version later than 0.3.5 where the issue is fixed.

Additionally, restrict Contributor-level and above users from accessing the 'code-engine' shortcode functionality until the update is applied.

Consider reviewing user permissions to limit the number of users with Contributor-level access or higher.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-6784. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart