CVE-2025-64356

Vulnerability

Overview The Insert PHP Code Snippet plugin for WordPress, versions 1.4.3 and earlier, contains a missing authorization vulnerability. The plugin fails to properly enforce proper access control checks on certain functions, allowing exploitation of incorrectly configured access control security levels. This is classified as a broken access control issue, where the plugin does not verify that the user has the required privileges before executing sensitive actions [1].

Exploitation

Conditions An attacker can exploit this vulnerability without needing high-level privileges. The missing authorization means that any user who can interact with the plugin's functionality—potentially including unauthenticated visitors—may be able to perform actions that should be restricted to administrators. The attack surface is broad because the plugin is used on many WordPress sites, and the vulnerability can be chained in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation allows an attacker to bypass access controls and execute unauthorized actions, such as inserting or modifying PHP code snippets. This could lead to arbitrary code execution on the server, data theft, or complete site compromise, depending on the specific missing authorization. The CVSS score. The CVSS v3 base score is 4.3 (Medium), indicating a low severity impact, and the vendor notes it is unlikely to be exploited in practice [1].

Mitigation

The vulnerability is patched in version 1.4.4 of the plugin. Users are strongly advised to update immediately. If updating is not possible, users should contact their hosting provider or web developer for assistance. Patchstack users can enable auto-updates for vulnerable plugins to stay protected [1].