The Code Snippets plugin for WordPress suffers from a PHP code injection vulnerability (CWE-94) due to unsafe use of extract() on shortcode attributes controlled by an attacker. This allows overwriting the $filepath variable passed to require_once, enabling arbitrary PHP code execution on the server. The vulnerability affects all versions up to and including 3.9.1. Exploitation requires authenticated access at Contributor level or above, and relies on an administrator enabling the "Enable file-based execution" setting and having at least one active Content snippet. The CVSS 3.1 base score is 8.0, indicating high severity with network attack vector, high impact on confidentiality, integrity, and availability, and requiring low privileges but user interaction.

Successful exploitation allows an authenticated user with Contributor-level access or higher to execute arbitrary PHP code on the server hosting the WordPress site. This can lead to full compromise of the web server, including data theft, site defacement, or further pivoting within the network. The attack requires tricking an administrator to enable a specific plugin setting, which adds a social engineering component to the threat. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, administrators should avoid enabling the "Enable file-based execution" setting in the Code Snippets plugin and restrict Contributor-level access where possible. Monitoring plugin settings and limiting administrative actions can reduce risk. Do not enable file-based execution unless absolutely necessary and only after verifying plugin updates or vendor advisories.