CVE-2025-13035: 
WordPress vulnerability analysis and mitigation

The Code Snippets plugin for WordPress contains a PHP Code Injection vulnerability (CVE-2025-13035) affecting all versions up to and including 3.9.1. The vulnerability was discovered and disclosed on November 18, 2025. The issue exists in the plugin's evaluate_shortcode_from_flat_file method, which improperly handles attacker-controlled shortcode attributes using the extract() function (NVD, Rapid7).

The vulnerability stems from the plugin's use of extract() on attacker-controlled shortcode attributes within the evaluate_shortcode_from_flat_file method. This can be exploited to overwrite the $filepath variable, which is subsequently passed to require_once. The vulnerability has been assigned a CVSS v3.1 base score of 8.0 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H, indicating network accessibility with high attack complexity, low privileges required, and user interaction needed (NVD).

If successfully exploited, authenticated attackers with Contributor-level access or higher can execute arbitrary PHP code on the server via the [code_snippet] shortcode. This is possible when an administrator enables the "Enable file-based execution" setting and creates at least one active Content snippet (NVD).