CVE-2025-13035 is a critical PHP code injection vulnerability identified in the Code Snippets plugin for WordPress, affecting all versions up to and including 3.9.1. The root cause is the plugin's use of the PHP extract() function on shortcode attributes controlled by attackers within the evaluate_shortcode_from_flat_file method. This allows an attacker to overwrite the $filepath variable, which is subsequently passed to require_once, enabling arbitrary PHP code execution on the server. The attack vector requires an authenticated user with at least Contributor-level access to exploit the vulnerability. However, exploitation also depends on an administrator enabling the "Enable file-based execution" setting and having at least one active content snippet. The attacker can then leverage the [code_snippet] shortcode with PHP filter chains to execute malicious code. The vulnerability affects confidentiality, integrity, and availability, as arbitrary code execution can lead to data theft, site defacement, or denial of service. The CVSS v3.1 base score is 8.0, reflecting high severity, with attack vector being network, attack complexity high, privileges required low, user interaction required, and scope changed. No public exploits are known at this time, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors and administrative users.

For European organizations, this vulnerability presents a significant threat to WordPress-based websites, particularly those that use the Code Snippets plugin to manage custom PHP code snippets. Successful exploitation can lead to full server compromise, allowing attackers to steal sensitive data, deface websites, deploy malware, or disrupt services. This is especially critical for organizations relying on WordPress for customer-facing portals, e-commerce, or internal communications. The requirement for Contributor-level access lowers the barrier for exploitation within organizations that allow multiple users to contribute content. If an attacker gains such access, they can leverage this vulnerability to escalate privileges and execute arbitrary code. The impact extends to data confidentiality breaches under GDPR regulations, potential service outages, and reputational damage. Additionally, the need for administrator involvement to enable file-based execution means social engineering or insider threats could facilitate exploitation. Given the widespread use of WordPress across Europe, the vulnerability could affect a broad range of sectors including government, education, media, and commerce.

To mitigate this vulnerability, European organizations should immediately audit their WordPress installations for the presence of the Code Snippets plugin and verify the version in use. Administrators should disable the "Enable file-based execution" setting if it is enabled, as this setting is a prerequisite for exploitation. Review and restrict Contributor-level user permissions to the minimum necessary, and monitor for suspicious shortcode usage or snippet creation. Implement strict access controls and multi-factor authentication for administrative accounts to reduce the risk of social engineering enabling the setting change. Until an official patch is released, consider temporarily deactivating the Code Snippets plugin or replacing it with alternative, secure methods for managing PHP snippets. Regularly monitor WordPress logs for unusual require_once calls or shortcode activity. Educate administrators and contributors about the risks of enabling file-based execution and the importance of cautious plugin configuration. Once a patch is available, apply it promptly. Additionally, implement web application firewalls (WAFs) with rules to detect and block suspicious shortcode or PHP filter chain usage patterns.