{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/tigroumeow/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2025-6784"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Code Engine plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","rce","cve","web-application"],"_cs_type":"advisory","_cs_vendors":["tigroumeow","WordPress"],"content_html":"\u003cp\u003eThe Code Engine plugin for WordPress contains a critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-6784, affecting all versions up to and including 0.3.5. This flaw stems from insufficient access restrictions on the plugin's code injection functionality when processing the \u003ccode\u003e[code-engine]\u003c/code\u003e shortcode. This design oversight enables authenticated attackers with Contributor-level privileges or higher to inject and execute arbitrary PHP code directly on the hosting web server. The vulnerability can lead to full compromise of the WordPress site and potentially the underlying server, making it a severe threat to organizations utilizing this plugin. The vulnerability was reported by Wordfence and assigned a CVSS v3.1 base score of 8.8 (High).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains valid Contributor-level (or higher) credentials for a WordPress website using the vulnerable Code Engine plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the WordPress administrative interface using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003e[code-engine]\u003c/code\u003e shortcode, embedding arbitrary PHP code (e.g., \u003ccode\u003e\u0026lt;?php system('id'); ?\u0026gt;\u003c/code\u003e) within it.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new post or page, or modifies an existing one, inserting the malicious \u003ccode\u003e[code-engine]\u003c/code\u003e shortcode into the content.\u003c/li\u003e\n\u003cli\u003eThe attacker publishes or saves the post/page, triggering the WordPress system to process the content.\u003c/li\u003e\n\u003cli\u003eWhen WordPress renders the content, the Code Engine plugin processes the \u003ccode\u003e[code-engine]\u003c/code\u003e shortcode.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the plugin executes the embedded PHP payload, leading to Remote Code Execution on the web server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-6784 allows an authenticated attacker to achieve Remote Code Execution on the web server. This can lead to a complete compromise of the affected WordPress site, enabling attackers to deface the website, inject malware, steal sensitive data from the database, or establish persistence on the server. Furthermore, RCE can serve as an initial foothold for attackers to pivot to other systems within the organization's network. The high CVSS score of 8.8 reflects the significant impact on confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Code Engine plugin for WordPress to a version greater than 0.3.5, as referenced in the WordPress changeset [https://plugins.trac.wordpress.org/changeset/3345666].\u003c/li\u003e\n\u003cli\u003eDeploy a web application firewall (WAF) to detect and block HTTP POST requests targeting WordPress administrative endpoints (e.g., \u003ccode\u003e/wp-admin/post.php\u003c/code\u003e, \u003ccode\u003e/wp-json/wp/v2/posts\u003c/code\u003e) that contain the \u003ccode\u003e[code-engine]\u003c/code\u003e shortcode along with suspicious PHP function calls, as described in the detection rules below.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious HTTP POST requests as identified by the Sigma rule \u0026quot;Detects CVE-2025-6784 Exploitation - Malicious WordPress Shortcode Submission\u0026quot; for potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eRegularly audit WordPress user accounts and their assigned roles to ensure least privilege principles are applied, reducing the impact of compromised credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-11T07:18:15Z","date_published":"2026-07-11T07:18:15Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-6784/","summary":"The Code Engine plugin for WordPress, in versions up to and including 0.3.5, is vulnerable to Remote Code Execution (RCE) via its 'code-engine' shortcode, allowing authenticated attackers with Contributor-level access or above to execute arbitrary code on the server.","title":"Remote Code Execution in WordPress Code Engine Plugin via Shortcode (CVE-2025-6784)","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2025-6784/"}],"language":"en","title":"CraftedSignal Threat Feed - Tigroumeow","version":"https://jsonfeed.org/version/1.1"}