EN 
FR 
ES 
Following a report from WordPress Plugins Team and researchers from Wordfence (CVE-2025-14166), a vulnerability has been identified in the Code Snippets WPMasterToolKit (versions ≤ 2.13.0).
This module allowed users with a Contributor (and above) to add and execute PHP code, potentially leading to an elevation of privileges.
⚠️ This could be exploited only if the Code Snippets module had been previously activated by an administrator and he already had access Contributor or higher.
✔️ Corrected in version 2.13.1
To eliminate any risk :
- Access to the Code Snippets module is now strictly reserved for Administrators
- WordPress capabilities have been revised to force permission
manage_optionson all snippet-related actions
Modification implemented :
'capability_type' => 'page',
'capabilities' => array(
'edit_post' => 'manage_options',
'read_post' => 'manage_options',
'delete_post' => 'manage_options',
'edit_posts' => 'manage_options',
'edit_others_posts' => 'manage_options',
'publish_posts' => 'manage_options',
'read_private_posts' => 'manage_options',
),
🔎 Additional checks in progress
In accordance with WordPress.org :
- A complete audit of permissions is underway on all modules
- Our code will undergo a Plugin Check to ensure maximum compliance with WordPress development and security standards
🛡️ What you need to do
If you use WPMasterToolKit :
✔️ Update your plugin by 2.13.1 or higher
⚠️ If the Code Snippets module was enabled, check that no suspicious snippets have been added by a non-administrator user.
🙏 Thanks to the security community
We would like to thank :
- The WordPress.org Plugins Team
- Wordfence researchers who identified and documented the flaw
Our priority is and will remain safety WordPress sites using WPMasterToolKit.
👋 A question, a doubt, a safety alert?
Our team remains available via WordPress.org support or our official website.
Let's stay vigilant, stay safe. 🔒🚀
