CVE-2025-60114

CVE-2025-60114 is a code injection vulnerability in the YayCurrency plugin for WordPress, affecting versions up to and including 3.3.1. The plugin fails to properly control the generation of code, allowing an attacker to inject arbitrary code [1].

The vulnerability can be exploited remotely without authentication, making it accessible to any unauthenticated visitor. Attackers can send crafted requests to inject malicious code, which is then executed on the server. This type of vulnerability is actively used in mass-exploit campaigns targeting thousands of WordPress sites [1].

Successful exploitation allows an attacker to execute arbitrary commands on the underlying server. This can lead to backdoor installation, data theft, and complete compromise of the WordPress site. The CVSS score of 6.6 reflects the medium severity, but the real-world impact is significant due to the ease of exploitation and availability of exploit scripts [1].

The vendor has released a patched version. Users are strongly advised to update YayCurrency to the latest version immediately. If updating is not possible, site administrators should contact their hosting provider for assistance. The vulnerability is listed on Patchstack and is known to be exploited in the wild [1].