saas · MITRE
The Code Engine plugin for WordPress (versions up to and including 0.3.5) contains a remote code execution vulnerability in its 'code-engine' shortcode functionality. The plugin fails to restrict access to its code injection capabilities, allowing authenticated attackers with Contributor-level access or higher to execute arbitrary code on the affected server. Wordfence assigned a CVSS 3.1 base score of 8.8 (High severity).
For SaaS platforms and content management service providers using WordPress, this vulnerability poses a direct risk to infrastructure security and customer data confidentiality and integrity. Organizations subject to SOC2 Type II audits should inventory WordPress installations and third-party plugins, assess whether Code Engine is deployed, and ensure access controls enforce least-privilege principles for user roles. Defense contractors and agencies storing controlled unclassified information (CUI) on WordPress should treat plugin vulnerabilities as critical compliance concerns under CMMC 2.0 and NIST 800-171. An Omniware engagement can scope plugin inventory, access control maturity, and patch management processes in detail.
Source: National Vulnerability Database (NVD) - https://nvd.nist.gov/vuln/detail/CVE-2025-6784
Source: MITRE
All briefings