The vulnerability identified as CVE-2025-13035 affects the Code Snippets plugin for WordPress, specifically all versions up to and including 3.9.1. The root cause is the use of PHP's extract() function on attacker-controlled shortcode attributes within the evaluate_shortcode_from_flat_file method. This improper control allows an attacker to overwrite the $filepath variable, which is later passed to require_once, enabling arbitrary PHP code execution on the server. The attack vector requires an authenticated user with at least Contributor-level access to the WordPress site. However, exploitation also depends on an administrator enabling the "Enable file-based execution" setting and having at least one active Content snippet configured. The attacker can leverage PHP filter chains via the [code_snippet] shortcode to inject malicious code. This vulnerability is classified under CWE-94 (Improper Control of Generation of Code), indicating a code injection flaw. The CVSS v3.1 score is 8.0 (High), with attack vector Network, attack complexity High, privileges required Low, user interaction Required, and scope Changed. Although no known exploits are reported in the wild, the potential for severe impact on server security is significant. The vulnerability affects the confidentiality, integrity, and availability of the affected systems by allowing remote code execution. The plugin is widely used in WordPress environments, making this a critical concern for many websites relying on it for code snippet management.

If exploited, this vulnerability allows attackers to execute arbitrary PHP code on the web server hosting the WordPress site. This can lead to full system compromise, including data theft, website defacement, installation of backdoors, pivoting to internal networks, and disruption of services. Because the attack requires Contributor-level access, it lowers the barrier compared to requiring administrator credentials, increasing the risk from insider threats or compromised lower-privilege accounts. The requirement for an administrator to enable file-based execution and have active content snippets means social engineering or insider collusion could facilitate exploitation. The impact spans confidentiality (data exposure), integrity (code and content manipulation), and availability (service disruption). Organizations relying on this plugin for managing code snippets face significant risk, especially if they do not restrict user roles or monitor plugin settings. The vulnerability's network attack vector and changed scope mean it can affect multiple components beyond the WordPress application itself, potentially impacting the underlying server environment.

1. Immediately disable the "Enable file-based execution" setting in the Code Snippets plugin to prevent exploitation. 2. Restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious shortcode injection. 3. Monitor and audit user roles and plugin settings regularly to detect unauthorized changes or suspicious activity. 4. Until an official patch is released, consider removing or deactivating the Code Snippets plugin if it is not essential. 5. Implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode usage patterns or attempts to manipulate the $filepath variable. 6. Educate administrators about the risks of enabling file-based execution and the importance of validating plugin settings. 7. After a patch is available, promptly update the plugin to the fixed version. 8. Conduct regular security assessments and code reviews for plugins that execute dynamic code to identify similar risks. 9. Employ principle of least privilege for all WordPress roles and limit plugin management capabilities to administrators only. 10. Use intrusion detection systems to monitor for unusual PHP execution patterns indicative of exploitation attempts.