CVE-2025-6784 in Code Engine Plugin
Summary
by MITRE • 07/11/2026
The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 0.3.5 via the 'code-engine' shortcode. This is due to the plugin not restricting access to the code injecting functionality of the plugin. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/11/2026
The Code Engine plugin for WordPress presents a critical remote code execution vulnerability that affects all versions through 0.3.5, specifically through the 'code-engine' shortcode implementation. This vulnerability stems from inadequate access control mechanisms within the plugin's code injection functionality, creating a significant security gap that can be exploited by authenticated attackers. The flaw allows threat actors with Contributor-level privileges or higher to gain unauthorized code execution capabilities on the affected WordPress server, representing a serious compromise of system integrity and potentially leading to full server compromise.
The technical implementation of this vulnerability involves the plugin's failure to properly validate and restrict access to its code injection features within the shortcode functionality. When an authenticated user with sufficient privileges submits content containing the 'code-engine' shortcode, the plugin processes the input without adequate sanitization or authorization checks. This creates a path for arbitrary code execution where malicious payloads can be injected and executed within the WordPress environment. The vulnerability operates at the application layer and leverages the inherent trust relationships within WordPress user roles to escalate privileges and execute unauthorized operations.
The operational impact of this vulnerability extends beyond simple code injection, as it provides attackers with persistent access to the server infrastructure. Contributors in WordPress typically have limited capabilities such as creating and editing posts, but this vulnerability allows them to leverage their elevated permissions to execute system-level commands. This represents a privilege escalation attack vector that can be exploited for data exfiltration, malware deployment, or further lateral movement within network environments where WordPress instances are hosted. The vulnerability affects any WordPress installation using the affected plugin version, making it particularly concerning given the widespread adoption of WordPress across various organizations.
Mitigation strategies should focus on immediate patching to the latest available version of the Code Engine plugin that addresses this vulnerability. Organizations should also implement additional security measures such as role-based access control restrictions and monitoring for unusual shortcode usage patterns. The vulnerability aligns with CWE-20: Improper Input Validation and CWE-79: Cross-site Scripting attacks, representing a classic example of insufficient access control in web applications. From an ATT&CK framework perspective, this vulnerability maps to T1059.001: Command and Scripting Interpreter and T1068: Exploitation for Privilege Escalation, demonstrating how authenticated access can be leveraged for system compromise. Regular security audits of WordPress plugins and maintaining up-to-date software versions remain critical defensive measures against such vulnerabilities.