Code Injection Flaws Expose WordPress Snippet Plugins to Remote Code Execution
Two high-severity vulnerabilities have been disclosed in popular WordPress snippet-management plugins, exposing sites to remote code execution through CWE-94 code injection flaws. CVE-2026-25001 affects Post Snippets by Saad Iqbal in versions through 4.0.12, while CVE-2026-25366 affects Woody ad snippets (insert-php) by Themeisle in versions through 2.7.1. Both issues were documented with Patchstack references and indicate that attackers could inject or include malicious code on vulnerable WordPress installations.
The two CVEs differ in attack complexity but both carry severe impact to confidentiality, integrity, and availability. CVE-2026-25001 is scored with CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H, while CVE-2026-25366 carries CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, making the Woody ad snippets flaw easier to exploit once low privileges are obtained. Organizations running either plugin should identify affected versions, prioritize updates beyond the vulnerable releases, and review WordPress environments for signs of unauthorized code execution.
Timeline
Mar 25, 2026
CVE records updated with CVSS, CWE-94, and Patchstack references
On March 25, 2026, both CVE-2026-25001 and CVE-2026-25366 records were updated to include CVSS v3.1 scoring, CWE-94 classification, and references to Patchstack advisories, adding technical severity and classification details.
Mar 25, 2026
CVE-2026-25366 disclosed for Woody ad snippets plugin RCE risk
A code injection vulnerability tracked as CVE-2026-25366 was documented for the Themeisle Woody ad snippets WordPress plugin (insert-php), affecting versions through 2.7.1 and presenting potential remote code execution impact.
Mar 25, 2026
CVE-2026-25001 disclosed for Post Snippets plugin RCE risk
A code injection vulnerability tracked as CVE-2026-25001 was documented for the WordPress Post Snippets plugin by Saad Iqbal, affecting versions through 4.0.12 and enabling remote code inclusion that could lead to remote code execution.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Critical WordPress Plugin Flaws Expose Sites to RCE and Privilege Escalation
Two high-severity vulnerabilities have been disclosed in widely deployed WordPress plugins, exposing internet-facing sites to **unauthenticated compromise**. `CVE-2026-3584` affects **Kali Forms** through version `2.4.9` and allows **remote code execution** because user-controlled input can be mapped into internal placeholder storage and later invoked via `call_user_func` in the `form_process` path. The issue is classified as `CWE-94` and carries a `CVSS 3.1` score with the vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, indicating critical impact on confidentiality, integrity, and availability. A second flaw, `CVE-2026-4038`, affects **Aimogen Pro** through version `2.7.5` and enables **unauthenticated privilege escalation** through an arbitrary function call in `aiomatic_call_ai_function_realtime` caused by a missing capability check. According to the disclosure, attackers can invoke WordPress functions such as `update_option` to change the default registration role to administrator and enable user registration, effectively creating a path to full site takeover. The vulnerability is tracked as `CWE-862` and was likewise rated with a high-impact `CVSS 3.1` vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`.
1 months ago
Critical WordPress Plugin Vulnerabilities Enable Account Takeover and Privilege Escalation
Multiple high-severity vulnerabilities were disclosed across popular **WordPress plugins**, creating pathways to account takeover, privilege escalation, and sensitive data exposure. The most severe issue, **CVE-2025-15521** in *Academy LMS* (<= `3.5.0`), allows **unauthenticated administrator account takeover** because the plugin’s password update flow relies on a **publicly exposed WordPress nonce** as authorization rather than validating user identity; *Wordfence* reported observing exploitation attempts in the wild and blocking dozens of attacks in a 24-hour period. Additional disclosures affect other plugins with different exploitation prerequisites and impacts. **CVE-2026-0726** in *Nexter Extension – Site Enhancements Toolkit* (<= `4.4.6`) is an **unauthenticated PHP object injection** via `nxt_unserialize_replace`, but it requires a usable **POP chain** from another installed plugin/theme to reach file deletion, data theft, or code execution. **CVE-2025-15347** in *Creator LMS* (<= `1.1.12`) enables **authenticated (Contributor+)** attackers to update arbitrary WordPress options due to a missing capability check, potentially leading to privilege escalation or site compromise. **CVE-2025-14977** in *Dokan* (<= `4.2.4`) is an **IDOR** in the `/wp-json/dokan/v1/settings` REST endpoint that lets **authenticated (Customer+)** users read/modify other vendors’ settings, including changing PayPal payout emails and accessing bank/payment details, enabling fraud and sensitive information disclosure.
1 months ago
Multiple Critical Vulnerabilities Disclosed Across Popular Software Platforms
A series of critical vulnerabilities have been disclosed affecting a wide range of popular software platforms, including WordPress plugins, web frameworks, developer tools, and enterprise applications. Notable issues include unauthenticated remote code execution (RCE) flaws in Next.js (CVE-2025-66478), WordPress core (CVE-2025-6389), and the ACF Extended plugin (CVE-2025-13486), as well as privilege escalation and authentication bypass vulnerabilities in the WP Directory Kit plugin (CVE-2025-13390) and cPanel. Several of these vulnerabilities are reported to be under active exploitation, with proof-of-concept code available for some, increasing the urgency for immediate patching and mitigation. Other significant disclosures include a high-severity flaw in Vim for Windows (CVE-2025-66476) allowing arbitrary code execution, a critical SQL injection chain in Synology BeeStation, and a directory traversal vulnerability in cPanel that could lead to full server takeover. Additional advisories cover issues in lz4-java, Longwatch OT surveillance, Django, Elementor, Apache Struts, nopCommerce, and OpenVPN, with many rated as critical or high severity by CVSS. Organizations are strongly advised to review affected products and apply security updates promptly to mitigate the risk of exploitation.
1 months ago