Cyber Resilience

CVE-2025-67944

CriticalRCE

Published: 22 January 2026

Published
22 January 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0049 38.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-67944 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked at the 38.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-67944 is an Improper Control of Generation of Code ('Code Injection') vulnerability, classified under CWE-94, in the Nelio AB Testing WordPress plugin (nelio-ab-testing) developed by Nelio Software. This issue affects all versions of the plugin from n/a through 8.1.8 inclusive. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

The attack scenario requires an authenticated attacker with high privileges, such as an administrator, to exploit the vulnerability remotely with low complexity and no user interaction. Successful exploitation enables arbitrary code injection and execution, granting the attacker high-impact control over confidentiality, integrity, and availability, with a scope change that can affect broader system components.

The primary advisory from Patchstack (https://patchstack.com/database/Wordpress/Plugin/nelio-ab-testing/vulnerability/wordpress-nelio-ab-testing-plugin-8-1-8-arbitrary-code-execution-vulnerability?_s_id=cve) documents this as an arbitrary code execution vulnerability specifically in Nelio AB Testing version 8.1.8. Security practitioners should consult the advisory for detailed mitigation recommendations, including any available patches or workarounds.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection.This issue affects Nelio AB Testing: from n/a through <= 8.1.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Code injection (CWE-94) in WordPress plugin directly enables arbitrary PHP/server-side code execution by a privileged admin, mapping to web shell implantation and Unix shell command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28134Shared CWE-94
CVE-2024-56278Shared CWE-94
CVE-2026-25447Shared CWE-94
CVE-2025-57283Shared CWE-94
CVE-2026-44244Shared CWE-94
CVE-2026-26830Shared CWE-94
CVE-2024-54804Shared CWE-94
CVE-2026-30117Shared CWE-94
CVE-2025-67038Shared CWE-94
CVE-2024-54724Shared CWE-94

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the specific code injection flaw in Nelio AB Testing plugin versions through 8.1.8 by identifying, reporting, and applying patches.

prevent

Implements input validation and error handling at plugin entry points to block malicious code injection payloads.

prevent

Enforces least privilege to minimize the number of high-privilege administrator accounts that could exploit the PR:H requirement.

References