CVE-2025-26936
Published: 10 March 2025
Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Security Summary
CVE-2025-26936 is an Improper Control of Generation of Code ('Code Injection') vulnerability, classified under CWE-94, in the FRESHFACE Fresh Framework WordPress plugin (fresh-framework). This issue affects all versions from n/a through 1.70.0 inclusive. Published on 2025-03-10, it carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), marking it as critically severe due to its potential for widespread remote exploitation.
The vulnerability enables unauthenticated attackers to exploit it remotely over the network with low complexity and no user interaction required. Successful exploitation grants remote code execution (RCE), allowing full compromise of the affected WordPress site with high impacts on confidentiality, integrity, and availability, alongside a scope change that could extend control beyond the vulnerable component.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/fresh-framework/vulnerability/wordpress-fresh-framework-plugin-1-70-0-unauthenticated-remote-code-execution-rce-vulnerability?_s_id=cve documents the unauthenticated RCE vulnerability in Fresh Framework plugin version 1.70.0.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes an unauthenticated code injection vulnerability in a public-facing WordPress plugin enabling remote code execution, directly mapping to T1190 for exploitation of public-facing applications and facilitating T1059 for command/script execution via the injected code.