{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25366", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:55.300Z", "datePublished": "2026-03-25T16:14:45.830Z", "dateUpdated": "2026-04-28T16:14:56.667Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "insert-php", "product": "Woody ad snippets", "vendor": "Themeisle", "versions": [{"changes": [{"at": "2.7.2", "status": "unaffected"}], "lessThanOrEqual": "2.7.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:26.018Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Themeisle Woody ad snippets insert-php allows Code Injection.<p>This issue affects Woody ad snippets: from n/a through <= 2.7.1.</p>"}], "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Themeisle Woody ad snippets insert-php allows Code Injection.This issue affects Woody ad snippets: from n/a through <= 2.7.1."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:56.667Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/insert-php/vulnerability/wordpress-woody-ad-snippets-plugin-2-7-1-remote-code-execution-rce-vulnerability?_s_id=cve"}], "title": "WordPress Woody ad snippets plugin <= 2.7.1 - Remote Code Execution (RCE) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T19:54:20.568181Z", "id": "CVE-2026-25366", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T01:36:11.477Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25366", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-25T19:54:20.568181Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:54:16.374Z"}}], "cna": {"title": "WordPress Woody ad snippets plugin <= 2.7.1 - Remote Code Execution (RCE) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Themeisle", "product": "Woody ad snippets", "versions": [{"status": "affected", "changes": [{"at": "2.7.2", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.7.1"}], "packageName": "insert-php", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:18:26.018Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/insert-php/vulnerability/wordpress-woody-ad-snippets-plugin-2-7-1-remote-code-execution-rce-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Themeisle Woody ad snippets insert-php allows Code Injection.This issue affects Woody ad snippets: from n/a through <= 2.7.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Themeisle Woody ad snippets insert-php allows Code Injection.<p>This issue affects Woody ad snippets: from n/a through <= 2.7.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:09.135Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25366", "state": "PUBLISHED", "dateUpdated": "2026-04-28T01:36:11.477Z", "dateReserved": "2026-02-02T12:52:55.300Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:45.830Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Themeisle Woody ad snippets insert-php allows Code Injection.This issue affects Woody ad snippets: from n/a through <= 2.7.1."}, {"lang": "es", "value": "Vulnerabilidad de Control Inadecuado de la Generaci\u00f3n de C\u00f3digo ('Inyecci\u00f3n de C\u00f3digo') en Themeisle Woody ad snippets insert-PHP permite la Inyecci\u00f3n de C\u00f3digo. Este problema afecta a Woody ad snippets: desde n/a hasta &lt;= 2.7.1."}], "id": "CVE-2026-25366", "lastModified": "2026-04-24T16:32:53.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:47.560", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/insert-php/vulnerability/wordpress-woody-ad-snippets-plugin-2-7-1-remote-code-execution-rce-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.7.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Woody ad snippets", "source": "cna", "vendor": "Themeisle"}, "product": "woody_ad_snippets", "vendor": "themeisle"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T22:06:28.145702+00:00", "value": {"mitigation_remediation": ["Upgrade the Woody ad snippets plug\u2011in to a version newer than 2.7.1 if one is available.", "If an upgrade cannot be performed immediately, deactivate or delete the insert\u2011php functionality to prevent code injection.", "Verify that no malicious PHP code has been placed via the insert\u2011php field and remove any such code.", "Restrict administrative access to the plugin settings to trusted users only."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Woody ad snippets plug\u2011in deployed with versions up to and including 2.7.1 are affected. The vulnerability is limited to installations where the insert\u2011php capability is enabled.", "description_and_impact": "The flaw is an improper control of code generation in the WordPress Woody ad snippets plug\u2011in\u2019s insert\u2011php feature, allowing an attacker to inject and execute arbitrary PHP code. This results in full compromise of the web application, affecting confidentiality, integrity, and availability. The weakness is classified under CWE\u201194, Code Injection.", "risk_and_exploitability": "The CVSS score of 9.9 marks this as a critical vulnerability. EPSS and KEV data are unavailable, but the nature of the flaw suggests a high probability of exploitation in environments where the plug\u2011in remains active. The likely attack vector is through the insert\u2011php interface, probably requiring authenticated access to the WordPress admin area. The impact is full remote code execution on the affected host."}}}}, "created": "2026-03-26T11:38:44.938943+00:00", "updated": "2026-03-26T12:12:45.376696+00:00", "vendors": ["themeisle", "themeisle$PRODUCT$woody_ad_snippets", "wordpress", "wordpress$PRODUCT$wordpress"]}