{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14166", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-05T21:21:47.576Z", "datePublished": "2025-12-12T03:20:46.466Z", "dateUpdated": "2026-04-08T16:56:35.965Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:56:35.965Z"}, "affected": [{"vendor": "ludwigyou", "product": "WPMasterToolKit (WPMTK) \u2013 All in one plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.13.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WPMasterToolKit plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 2.13.0. This is due to the plugin allowing Author-level users to create and execute arbitrary PHP code through the Code Snippets feature without proper capability checks. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server, leading to remote code execution, privilege escalation, and complete site compromise."}], "title": "WPMasterToolKit (WPMTK) <= 2.13.0 - Authenticated (Contributor+) Code Injection", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6049996a-514a-44f7-9878-4aa43598842a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpmastertoolkit/trunk/admin/modules/core/class-code-snippets.php#L135"}, {"url": "https://plugins.trac.wordpress.org/browser/wpmastertoolkit/tags/2.13.0/admin/modules/core/class-code-snippets.php#L135"}, {"url": "https://plugins.trac.wordpress.org/browser/wpmastertoolkit/trunk/admin/modules/core/class-code-snippets.php#L628"}, {"url": "https://plugins.trac.wordpress.org/browser/wpmastertoolkit/tags/2.13.0/admin/modules/core/class-code-snippets.php#L628"}, {"url": "https://plugins.trac.wordpress.org/log/wpmastertoolkit/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}, {"lang": "en", "type": "finder", "value": "Powpy"}, {"lang": "en", "type": "finder", "value": "Waris Damkham"}, {"lang": "en", "type": "finder", "value": "Varakorn Chanthasri"}, {"lang": "en", "type": "finder", "value": "Peerapat Samatathanyakorn"}, {"lang": "en", "type": "finder", "value": "Sopon Tangpathum (SoNaJaa)"}], "timeline": [{"time": "2025-12-11T14:32:15.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T17:54:30.314072Z", "id": "CVE-2025-14166", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T18:15:27.698Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14166", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T17:54:30.314072Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T17:54:34.924Z"}}], "cna": {"title": "WPMasterToolKit (WPMTK) <= 2.13.0 - Authenticated (Contributor+) Code Injection", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}, {"lang": "en", "type": "finder", "value": "Powpy"}, {"lang": "en", "type": "finder", "value": "Waris Damkham"}, {"lang": "en", "type": "finder", "value": "Varakorn Chanthasri"}, {"lang": "en", "type": "finder", "value": "Peerapat Samatathanyakorn"}, {"lang": "en", "type": "finder", "value": "Sopon Tangpathum (SoNaJaa)"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "ludwigyou", "product": "WPMasterToolKit (WPMTK) \u2013 All in one plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.13.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-11T14:32:15.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6049996a-514a-44f7-9878-4aa43598842a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpmastertoolkit/trunk/admin/modules/core/class-code-snippets.php#L135"}, {"url": "https://plugins.trac.wordpress.org/browser/wpmastertoolkit/tags/2.13.0/admin/modules/core/class-code-snippets.php#L135"}, {"url": "https://plugins.trac.wordpress.org/browser/wpmastertoolkit/trunk/admin/modules/core/class-code-snippets.php#L628"}, {"url": "https://plugins.trac.wordpress.org/browser/wpmastertoolkit/tags/2.13.0/admin/modules/core/class-code-snippets.php#L628"}, {"url": "https://plugins.trac.wordpress.org/log/wpmastertoolkit/"}], "descriptions": [{"lang": "en", "value": "The WPMasterToolKit plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 2.13.0. This is due to the plugin allowing Author-level users to create and execute arbitrary PHP code through the Code Snippets feature without proper capability checks. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server, leading to remote code execution, privilege escalation, and complete site compromise."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:56:35.965Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14166", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:56:35.965Z", "dateReserved": "2025-12-05T21:21:47.576Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T03:20:46.466Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WPMasterToolKit plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 2.13.0. This is due to the plugin allowing Author-level users to create and execute arbitrary PHP code through the Code Snippets feature without proper capability checks. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server, leading to remote code execution, privilege escalation, and complete site compromise."}], "id": "CVE-2025-14166", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T04:15:49.257", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpmastertoolkit/tags/2.13.0/admin/modules/core/class-code-snippets.php#L135"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpmastertoolkit/tags/2.13.0/admin/modules/core/class-code-snippets.php#L628"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpmastertoolkit/trunk/admin/modules/core/class-code-snippets.php#L135"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpmastertoolkit/trunk/admin/modules/core/class-code-snippets.php#L628"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/log/wpmastertoolkit/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6049996a-514a-44f7-9878-4aa43598842a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:30:31.487858+00:00", "value": {"mitigation_remediation": ["Upgrade WPMasterToolKit to the latest version that addresses the code injection flaw.", "If an immediate upgrade is not possible, disable or remove the Code Snippets feature until the fix is available.", "Restrict Contributor-level access and monitor the site for any unauthorized code execution attempts."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All releases of the WPMasterToolKit (WPMTK) WordPress plugin up to version 2.13.0 are affected. The issue exists in the core module handling code snippets and is present in the plugin files historical and trunk versions referenced in the advisory. No other products or vendors are listed as affected.", "description_and_impact": "The vulnerability in the WPMasterToolKit plugin allows authenticated users with Contributor-level access to inject and execute arbitrary PHP code through the Code Snippets feature. This code injection is a weakness that can lead to remote code execution, privilege escalation to higher WordPress roles, and eventual full site compromise. The weakness is categorized as CWE\u201194, indicating an injection of malicious code without proper validation or sanitization.", "risk_and_exploitability": "The CVSS score of 5.3 places the vulnerability in the medium severity range, and the EPSS score of less than 1% suggests a low yet non\u2011zero probability of exploitation. When combined with the fact that the attack vector requires an authenticated Contributor or higher, the risk is mitigated by the need for user access but remains significant if such users exist on the site. The vulnerability is not listed in the CISA KEV catalog, further indicating that actively exploited instances are not currently documented. An attacker would exploit the plugin's lack of capability checks by submitting malicious PHP through the user interface and then executing it via the same interface, allowing code execution on the server."}}}}, "created": "2025-12-12T08:48:15.536469+00:00", "updated": "2026-04-21T17:30:37.705855+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}