Overview
A high-severity vulnerability, identified as CVE-2025-13035, has been discovered in the Code Snippets plugin for WordPress. This vulnerability affects all versions up to and including 3.9.1. It allows authenticated attackers with Contributor-level access or higher to inject and execute arbitrary PHP code on the server. Exploitation requires that the “Enable file-based execution” setting is enabled by an administrator and at least one active Content snippet exists. This poses a significant risk to WordPress websites utilizing the affected plugin.
Technical Details
The vulnerability stems from the insecure use of the extract() function within the evaluate_shortcode_from_flat_file method of the Code Snippets plugin. Specifically, the plugin processes shortcode attributes, controlled by the attacker, through extract(). This allows an attacker to overwrite the $filepath variable, which is subsequently used in a require_once statement. This effectively grants the attacker the ability to include and execute arbitrary PHP code if they can manipulate the `$filepath` through shortcode attributes.
This vulnerability is located in class-front-end.php. You can see the relevant code sections here:
CVSS Analysis
- CVE ID: CVE-2025-13035
- Severity: HIGH
- CVSS Score: 8
A CVSS score of 8 indicates a high level of severity. This means that the vulnerability is relatively easy to exploit and can have significant consequences, potentially leading to complete system compromise.
Possible Impact
Successful exploitation of this vulnerability could allow an attacker to:
- Gain complete control of the WordPress website.
- Modify website content, including injecting malicious code.
- Steal sensitive data, such as user credentials and database information.
- Use the compromised server to launch further attacks.
Mitigation and Patch Steps
- Update the Code Snippets plugin: The most crucial step is to update the Code Snippets plugin to the latest version. The vulnerability is patched in versions greater than 3.9.1.
- Disable “Enable file-based execution”: If you are unable to update immediately, consider disabling the “Enable file-based execution” setting in the Code Snippets plugin settings. This mitigates the most direct attack vector. However, be aware that this might break existing functionality that relies on file-based snippets.
- Review User Permissions: Limit Contributor-level access where possible. Ensure that only trusted users have the ability to create and edit content.
- Monitor for Suspicious Activity: Regularly monitor your website logs for any unusual activity, such as unauthorized file modifications or unexpected PHP code execution.