Cyber Resilience

CVE-2026-25366

CriticalRCE

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0031 22.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25366 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25366 is an Improper Control of Generation of Code ('Code Injection') vulnerability, classified under CWE-94, in the Themeisle Woody ad snippets insert-php WordPress plugin. This issue affects versions from n/a through 2.7.1 and was published on 2026-03-25.

The vulnerability carries a CVSS v3.1 base score of 9.9 (Critical), with vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. A low-privileged remote attacker (PR:L) can exploit it over the network with low complexity and no user interaction, achieving a scope change that results in high impacts to confidentiality, integrity, and availability, enabling remote code execution.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/insert-php/vulnerability/wordpress-woody-ad-snippets-plugin-2-7-1-remote-code-execution-rce-vulnerability?_s_id=cve details this remote code execution vulnerability in Woody ad snippets plugin version 2.7.1; practitioners should review it for mitigation guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Control of Generation of Code ('Code Injection') vulnerability in Themeisle Woody ad snippets insert-php allows Code Injection.This issue affects Woody ad snippets: from n/a through <= 2.7.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CVE describes unauthenticated RCE via code injection in public-facing WordPress plugin (T1190); achieved RCE directly permits arbitrary command execution through the server's scripting interpreter (T1059.004 Unix Shell); low-privileged access escalates to full system impact via scope change (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-67036Shared CWE-94
CVE-2025-67034Shared CWE-94
CVE-2025-67037Shared CWE-94
CVE-2026-32613Shared CWE-94
CVE-2026-28425Shared CWE-94
CVE-2024-56373Shared CWE-94
CVE-2026-26830Shared CWE-94
CVE-2024-54804Shared CWE-94
CVE-2025-67038Shared CWE-94
CVE-2024-54806Shared CWE-94

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents code injection by requiring validation and sanitization of inputs to the PHP snippet insertion feature in the Woody ad snippets plugin.

prevent

SI-2 mandates timely patching and remediation of the known code injection flaw in Woody ad snippets versions through 2.7.1.

prevent

CM-7 reduces the attack surface by disabling unnecessary functionality such as the vulnerable PHP code insertion capability in the plugin.

References