WordPress Plugin Vulnerabilities

Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts < 2.7.2 - Authenticated (Contributor+) Remote Code Execution

Description

The Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

Affects Plugins

Plugin icon
insert-php
Fixed in 2.7.2

References

CVE
CVE-2026-25366
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ada52ae9-7d14-405d-9efc-b993ea273a26

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
7.2 (High)

Miscellaneous

Original Researcher
Nguyen Ba Khanh
Verified
No
WPVDB ID
cdb782a4-26f5-4ee9-9bba-fc3a1f1de21b

Timeline

Publicly Published
2026-03-23 (about 3 months ago)
Added
2026-05-05 (about 1 month ago)
Last Updated
2026-05-05 (about 1 month ago)

Other

Published
Title
Published
2026-06-17
Title
Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets < 4.2.4 - Contributor+ Remote Code Execution
Published
2017-01-11
Title
WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer
Published
2026-04-21
Title
FunnelFormsPro <= 3.8.1 - Authenticated (Subscriber+) Remote Code Execution
Published
2025-09-05
Title
Rehub < 19.9.8 - Unauthenticated Arbitrary Shortcode Execution via re_filterpost
Published
2025-08-15
Title
Soledad < 8.6.8 - Unauthenticated Arbitrary Shortcode Execution