<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Code Engine Plugin - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/code-engine-plugin/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sat, 11 Jul 2026 07:18:15 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/code-engine-plugin/feed.xml" rel="self" type="application/rss+xml"/><item><title>Remote Code Execution in WordPress Code Engine Plugin via Shortcode (CVE-2025-6784)</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2025-6784/</link><pubDate>Sat, 11 Jul 2026 07:18:15 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2025-6784/</guid><description>The Code Engine plugin for WordPress, in versions up to and including 0.3.5, is vulnerable to Remote Code Execution (RCE) via its 'code-engine' shortcode, allowing authenticated attackers with Contributor-level access or above to execute arbitrary code on the server.</description><content:encoded><![CDATA[<p>The Code Engine plugin for WordPress contains a critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-6784, affecting all versions up to and including 0.3.5. This flaw stems from insufficient access restrictions on the plugin's code injection functionality when processing the <code>[code-engine]</code> shortcode. This design oversight enables authenticated attackers with Contributor-level privileges or higher to inject and execute arbitrary PHP code directly on the hosting web server. The vulnerability can lead to full compromise of the WordPress site and potentially the underlying server, making it a severe threat to organizations utilizing this plugin. The vulnerability was reported by Wordfence and assigned a CVSS v3.1 base score of 8.8 (High).</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker obtains valid Contributor-level (or higher) credentials for a WordPress website using the vulnerable Code Engine plugin.</li>
<li>The attacker logs into the WordPress administrative interface using the compromised credentials.</li>
<li>The attacker crafts a malicious <code>[code-engine]</code> shortcode, embedding arbitrary PHP code (e.g., <code>&lt;?php system('id'); ?&gt;</code>) within it.</li>
<li>The attacker creates a new post or page, or modifies an existing one, inserting the malicious <code>[code-engine]</code> shortcode into the content.</li>
<li>The attacker publishes or saves the post/page, triggering the WordPress system to process the content.</li>
<li>When WordPress renders the content, the Code Engine plugin processes the <code>[code-engine]</code> shortcode.</li>
<li>Due to the vulnerability, the plugin executes the embedded PHP payload, leading to Remote Code Execution on the web server.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2025-6784 allows an authenticated attacker to achieve Remote Code Execution on the web server. This can lead to a complete compromise of the affected WordPress site, enabling attackers to deface the website, inject malware, steal sensitive data from the database, or establish persistence on the server. Furthermore, RCE can serve as an initial foothold for attackers to pivot to other systems within the organization's network. The high CVSS score of 8.8 reflects the significant impact on confidentiality, integrity, and availability.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update the Code Engine plugin for WordPress to a version greater than 0.3.5, as referenced in the WordPress changeset [https://plugins.trac.wordpress.org/changeset/3345666].</li>
<li>Deploy a web application firewall (WAF) to detect and block HTTP POST requests targeting WordPress administrative endpoints (e.g., <code>/wp-admin/post.php</code>, <code>/wp-json/wp/v2/posts</code>) that contain the <code>[code-engine]</code> shortcode along with suspicious PHP function calls, as described in the detection rules below.</li>
<li>Monitor web server logs for suspicious HTTP POST requests as identified by the Sigma rule &quot;Detects CVE-2025-6784 Exploitation - Malicious WordPress Shortcode Submission&quot; for potential exploitation attempts.</li>
<li>Regularly audit WordPress user accounts and their assigned roles to ensure least privilege principles are applied, reducing the impact of compromised credentials.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>rce</category><category>cve</category><category>web-application</category></item></channel></rss>