cnvd - cnvd-2025-29293

CNVD-2025-29293

Vulnerability from cnvd - Published: 2025-11-24

Title

WordPress Code Snippets plugin代码注入漏洞

Description

WordPress Code Snippets plugin是一款专为WordPress设计的插件，用于便捷地添加和管理自定义代码片段，无需直接修改主题文件。 WordPress Code Snippets plugin存在代码注入漏洞，该漏洞源于evaluate_shortcode_from_flat_file方法对攻击者控制的短码属性使用extract函数，覆盖$filepath变量，随后传给require_once。攻击者可利用该漏洞导致PHP代码注入攻击。

Severity

高

Patch Name

WordPress Code Snippets plugin代码注入漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级程序修复该安全问题，详情见厂商官网: https://wordpress.org/plugins/code-snippets

Reference

https://plugins.trac.wordpress.org/browser/code-snippets/tags/3.8.1/php/front-end/class-front-end.php#L295

Impacted products

Name
WordPress Code Snippets plugin <=3.9.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-13035",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-13035"
    }
  },
  "description": "WordPress Code Snippets plugin\u662f\u4e00\u6b3e\u4e13\u4e3aWordPress\u8bbe\u8ba1\u7684\u63d2\u4ef6\uff0c\u7528\u4e8e\u4fbf\u6377\u5730\u6dfb\u52a0\u548c\u7ba1\u7406\u81ea\u5b9a\u4e49\u4ee3\u7801\u7247\u6bb5\uff0c\u65e0\u9700\u76f4\u63a5\u4fee\u6539\u4e3b\u9898\u6587\u4ef6\u3002\n\nWordPress Code Snippets plugin\u5b58\u5728\u4ee3\u7801\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eevaluate_shortcode_from_flat_file\u65b9\u6cd5\u5bf9\u653b\u51fb\u8005\u63a7\u5236\u7684\u77ed\u7801\u5c5e\u6027\u4f7f\u7528extract\u51fd\u6570\uff0c\u8986\u76d6$filepath\u53d8\u91cf\uff0c\u968f\u540e\u4f20\u7ed9require_once\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4PHP\u4ee3\u7801\u6ce8\u5165\u653b\u51fb\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51:\r\nhttps://wordpress.org/plugins/code-snippets",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-29293",
  "openTime": "2025-11-24",
  "patchDescription": "WordPress Code Snippets plugin\u662f\u4e00\u6b3e\u4e13\u4e3aWordPress\u8bbe\u8ba1\u7684\u63d2\u4ef6\uff0c\u7528\u4e8e\u4fbf\u6377\u5730\u6dfb\u52a0\u548c\u7ba1\u7406\u81ea\u5b9a\u4e49\u4ee3\u7801\u7247\u6bb5\uff0c\u65e0\u9700\u76f4\u63a5\u4fee\u6539\u4e3b\u9898\u6587\u4ef6\u3002\r\n\r\nWordPress Code Snippets plugin\u5b58\u5728\u4ee3\u7801\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eevaluate_shortcode_from_flat_file\u65b9\u6cd5\u5bf9\u653b\u51fb\u8005\u63a7\u5236\u7684\u77ed\u7801\u5c5e\u6027\u4f7f\u7528extract\u51fd\u6570\uff0c\u8986\u76d6$filepath\u53d8\u91cf\uff0c\u968f\u540e\u4f20\u7ed9require_once\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4PHP\u4ee3\u7801\u6ce8\u5165\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "WordPress Code Snippets plugin\u4ee3\u7801\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "WordPress Code Snippets plugin \u003c=3.9.1"
  },
  "referenceLink": "https://plugins.trac.wordpress.org/browser/code-snippets/tags/3.8.1/php/front-end/class-front-end.php#L295",
  "serverity": "\u9ad8",
  "submitTime": "2025-11-21",
  "title": "WordPress Code Snippets plugin\u4ee3\u7801\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2025-13035 (GCVE-0-2025-13035)

Vulnerability from cvelistv5 – Published: 2025-11-19 07:46 – Updated: 2025-11-19 17:21

Summary

The Code Snippets plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.9.1. This is due to the plugin's use of extract() on attacker-controlled shortcode attributes within the `evaluate_shortcode_from_flat_file` method, which can be used to overwrite the `$filepath` variable and subsequently passed to require_once. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server via the `[code_snippet]` shortcode using PHP filter chains granted they can trick an administrator into enabling the "Enable file-based execution" setting and creating at least one active Content snippet.

Severity ?

8 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Assigner

Wordfence

References

URL

Tags

	https://www.wordfence.com/threat-intel/vulnerabil…
	https://plugins.trac.wordpress.org/browser/code-s…
	https://plugins.trac.wordpress.org/browser/code-s…
	https://plugins.trac.wordpress.org/changeset?sfp_…

Impacted products

	Vendor	Product	Version
	codesnippetspro	Code Snippets	Affected: * , ≤ 3.9.1 (semver)

Credits

Michael Mazzolini

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13035",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-19T17:20:53.291261Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-19T17:21:07.364Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Code Snippets",
          "vendor": "codesnippetspro",
          "versions": [
            {
              "lessThanOrEqual": "3.9.1",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Michael Mazzolini"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Code Snippets plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.9.1. This is due to the plugin\u0027s use of extract() on attacker-controlled shortcode attributes within the `evaluate_shortcode_from_flat_file` method, which can be used to overwrite the `$filepath` variable and subsequently passed to require_once. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server via the `[code_snippet]` shortcode using PHP filter chains granted they can trick an administrator into enabling the \"Enable file-based execution\" setting and creating at least one active Content snippet."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-19T07:46:08.602Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c7c7247c-2fc3-46ff-858e-2242b7211476?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/code-snippets/tags/3.8.1/php/front-end/class-front-end.php#L295"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/code-snippets/tags/3.8.1/php/front-end/class-front-end.php#L296"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3397635%40code-snippets%2Ftrunk\u0026old=3395415%40code-snippets%2Ftrunk\u0026sfp_email=\u0026sfph_mail=#file23"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-11-12T13:54:28.000+00:00",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2025-11-18T19:03:25.000+00:00",
          "value": "Disclosed"
        }
      ],
      "title": "Code Snippets \u003c= 3.9.1 - Authenticated (Contributor+) PHP Code Injection via extract() and PHP Filter Chains"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-13035",
    "datePublished": "2025-11-19T07:46:08.602Z",
    "dateReserved": "2025-11-11T17:05:21.590Z",
    "dateUpdated": "2025-11-19T17:21:07.364Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-29293

CVE-2025-13035 (GCVE-0-2025-13035)

Tags

Sightings

Nomenclature