PatchSiren cyber security CVE debrief
CVE-2025-6784 tigroumeow CVE debrief
The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 0.3.5 via the 'code-engine' shortcode. This is due to the plugin not restricting access to the code injecting functionality of the plugin. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. The vulnerability has a CVSS score of 8.8 and is considered HIGH severity. Users of the Code Engine plugin for WordPress, particularly those with Contributor-level access and above, should be aware of this vulnerability and take immediate action to update the plugin to a patched version.
- Vendor
- tigroumeow
- Product
- Code Engine – PHP Snippets, AI Functions & Automation for WordPress
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-11
- Original CVE updated
- 2026-07-11
- Advisory published
- 2026-07-11
- Advisory updated
- 2026-07-11
Who should care
Users of the Code Engine plugin for WordPress, particularly those with Contributor-level access and above, should be aware of this vulnerability and take immediate action to update the plugin to a patched version. Additionally, administrators and security teams responsible for managing WordPress installations and ensuring the security of their systems should prioritize patching this vulnerability to prevent potential code execution attacks.
Technical summary
The Code Engine plugin for WordPress is vulnerable to Remote Code Execution (RCE) due to unrestricted access to the code injecting functionality of the plugin. An authenticated attacker with Contributor-level access and above can execute code on the server using the 'code-engine' shortcode. This vulnerability affects all versions of the plugin up to, and including, 0.3.5. The plugin's lack of access restrictions on the code injecting functionality allows for arbitrary code execution on the server.
Defensive priority
High
Recommended defensive actions
- Update the Code Engine plugin to a patched version
- Restrict access to the code injecting functionality of the plugin
- Monitor for suspicious activity on the server
- Implement additional security measures to prevent code injection attacks
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-11T07:16:44.637Z and has not been modified since then. The NVD entry is currently 8.8 HIGH. This information is based on the NVD entry and the CVE record. The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 0.3.5 via the 'code-engine' shortcode. The plugin does not restrict access to the code injecting functionality, allowing authenticated attackers with Contributor-level access and above to execute code on the server. Evidence of this vulnerability's existence is limited to the CVE record and NVD entry. Further verification is needed to confirm the scope and impact of this vulnerability.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T07:16:44.637Z and has not been modified since then.