PHP Code Injection (CVE-2026-25366)

Patch now - CVE-2026-25366 is a critical code injection vulnerability in the Woody ad snippets (insert-php) plugin for WordPress up to 2.7.1 that grants any authenticated contributor or higher full server-side command execution and backend takeover. Exploitation bypasses all standard access controls and requires immediate updating to version 2.7.2.

Overview

A critical security vulnerability has been identified in the Woody ad snippets (insert-php) plugin for WordPress. Tracked as CVE-2026-25366, this flaw is an “Improper Control of Generation of Code” weakness, commonly known as a code injection vulnerability. It affects all versions of the plugin up to and including 2.7.1. Due to its nature and potential impact, it has been rated with a maximum CVSS score of 9.9.

What is the Vulnerability?

In simple terms, this vulnerability exists within the plugin’s functionality that allows users to insert PHP code snippets into their WordPress posts and pages. Due to insufficient security checks, an authenticated attacker with contributor-level access or higher can inject malicious PHP code. Once injected, this code is executed by the website’s server whenever the affected page is loaded. This bypasses normal security restrictions and gives the attacker direct control over the website’s backend operations.

Potential Impact

The impact of successful exploitation is severe. An attacker can leverage this flaw to:

• Execute arbitrary commands on the web server.
• Install backdoors or other malware.
• Steal sensitive data, including user credentials and database information.
• Deface the website or use it to attack visitors.
• Achieve a complete compromise of the WordPress installation and potentially the underlying server.

This level of access can lead to significant data breaches and operational disruption. For context on the damage caused by such compromises, you can review real-world incidents in our breach reports.

Remediation and Mitigation Steps

Immediate action is required to secure any website using this plugin.

1. Update Immediately: The primary fix is to update the Woody ad snippets plugin to the latest version (2.7.2 or higher), which contains the security patch. Update via your WordPress admin dashboard without delay.
2. If No Update is Available: If a patched version is not yet available for your site, you must disable and completely remove the plugin as a temporary mitigation. This will break any functionality that relies on it, so prepare accordingly.
3. Audit User Accounts: Review and minimize the number of users with contributor, author, or editor roles, as these permission levels could be leveraged in an attack. Ensure all user passwords are strong.
4. Monitor for Suspicious Activity: Check your website’s files and access logs for any unauthorized changes or suspicious PHP code. Consider using a website firewall or security plugin to block exploitation attempts.

Staying informed about such critical vulnerabilities is key to maintaining security. For the latest updates on threats and patches, follow our security news section.