Cyber Posture

CVE-2025-26970

Critical

Published: 03 March 2025

Published
03 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0024 47.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-26970 is an Improper Control of Generation of Code ('Code Injection') vulnerability, classified as CWE-94, in the FRESHFACE Ark Theme Core (ark-core) WordPress plugin. This issue affects all versions from n/a through those prior to 1.71.0. Published on 2025-03-03, it carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), marking it as critical.

An unauthenticated attacker can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation enables code injection, leading to remote code execution (RCE) with high impacts on confidentiality, integrity, and availability, and a changed scope.

The Patchstack advisory details this as an unauthenticated RCE vulnerability specifically in Ark Theme Core plugin version 1.70.0 and earlier versions. Mitigation requires updating to version 1.71.0 or later.

Details

CWE(s)
CWE-94

Affected Products

arktheme
the ark
≤ 1.70.0

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Unauthenticated remote code injection leading to RCE in a public-facing WordPress plugin directly maps to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References