CVE-2025-48169: 
WordPress vulnerability analysis and mitigation

A Remote Code Execution (RCE) vulnerability was discovered in the WordPress Code Engine Plugin, identified as CVE-2025-48169. The vulnerability affects versions up to 0.3.3 of the Code Engine plugin developed by Jordy Meow. The issue was initially reported on June 29, 2025, and was publicly disclosed on August 7, 2025. The vulnerability is classified as an Improper Control of Generation of Code (Code Injection) issue that allows Remote Code Inclusion (Patchstack, NVD).

The vulnerability has received multiple severity assessments. Patchstack assigned it a CVSS v3.1 score of 9.9 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and requiring low privileges. The vulnerability is categorized under CWE-94 (Improper Control of Generation of Code). The issue specifically affects users with Contributor-level access or higher (Patchstack).

The vulnerability could allow malicious actors to execute commands on the target website, potentially leading to full website compromise. As a Remote Code Execution vulnerability, successful exploitation could result in backdoor access and complete control of the affected website (Patchstack).

The vulnerability has been fixed in version 0.3.4 of the Code Engine plugin. Users are strongly advised to update to version 0.3.4 or later immediately. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).