{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32573", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:52.970Z", "datePublished": "2026-03-25T16:15:12.700Z", "dateUpdated": "2026-03-25T19:56:30.414Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "nelio-ab-testing", "product": "Nelio AB Testing", "vendor": "Nelio Software", "versions": [{"changes": [{"at": "8.2.8", "status": "unaffected"}], "lessThanOrEqual": "<= 8.2.7", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:11:56.793Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection.<p>This issue affects Nelio AB Testing: from n/a through <= 8.2.7.</p>"}], "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection.This issue affects Nelio AB Testing: from n/a through <= 8.2.7."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:12.700Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/nelio-ab-testing/vulnerability/wordpress-nelio-ab-testing-plugin-8-2-7-remote-code-execution-rce-vulnerability?_s_id=cve"}], "title": "WordPress Nelio AB Testing plugin <= 8.2.7 - Remote Code Execution (RCE) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T19:56:15.821808Z", "id": "CVE-2026-32573", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:56:30.414Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32573", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-25T19:56:15.821808Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:56:26.884Z"}}], "cna": {"title": "WordPress Nelio AB Testing plugin <= 8.2.7 - Remote Code Execution (RCE) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "affected": [{"vendor": "Nelio Software", "product": "Nelio AB Testing", "versions": [{"status": "affected", "changes": [{"at": "8.2.8", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 8.2.7"}], "packageName": "nelio-ab-testing", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:11:56.793Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/nelio-ab-testing/vulnerability/wordpress-nelio-ab-testing-plugin-8-2-7-remote-code-execution-rce-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection.This issue affects Nelio AB Testing: from n/a through <= 8.2.7.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection.<p>This issue affects Nelio AB Testing: from n/a through <= 8.2.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:12.700Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32573", "state": "PUBLISHED", "dateUpdated": "2026-03-25T19:56:30.414Z", "dateReserved": "2026-03-12T11:12:52.970Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:15:12.700Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection.This issue affects Nelio AB Testing: from n/a through <= 8.2.7."}], "id": "CVE-2026-32573", "lastModified": "2026-03-25T20:16:32.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:17:08.927", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/nelio-ab-testing/vulnerability/wordpress-nelio-ab-testing-plugin-8-2-7-remote-code-execution-rce-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.2.7]"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "Nelio AB Testing", "source": "cna", "vendor": "Nelio Software"}, "product": "nelio_ab_testing", "vendor": "neliosoftware"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T21:52:21.524896+00:00", "value": {"mitigation_remediation": ["Update Nelio AB Testing plugin to version 8.2.8 or later, which removes the code injection flaw.", "If immediate update is not possible, disable the Nelio AB Testing plugin or remove it from the site until a patch is applied.", "Verify all WordPress sites and associated plugins are running a non\u2011vulnerable version and monitor for any unexpected code execution."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects Nelio Software\u2019s Nelio AB Testing plugin for WordPress. Versions from the initial release through 8.2.7, inclusive, are vulnerable. Any WordPress installation using one of these plugin versions is at risk.", "description_and_impact": "The vulnerability arises from an improper control of code generation in the Nelio AB Testing WordPress plugin. An attacker can inject arbitrary code that is evaluated by the application, enabling remote execution of PHP code. This flaw, classified as CWE\u201194, gives an attacker full control over the server, potentially compromising confidentiality, integrity, and availability of the site and any data stored on it.", "risk_and_exploitability": "The vulnerability scores a CVSS 9.1, indicating a high\u2011risk remote code execution flaw. EPSS data is not available and the flaw is not listed in CISA\u2019s KEV catalog. The likely attack vector is remote, as the code is injected through the plugin\u2019s interfaces, and exploitation requires the ability to supply malicious input. Because of the severe impact, disabling the plugin or updating to a patched version is strongly recommended."}}}}, "created": "2026-03-26T11:34:42.550770+00:00", "updated": "2026-03-26T12:12:06.535998+00:00", "vendors": ["neliosoftware", "neliosoftware$PRODUCT$nelio_ab_testing", "wordpress", "wordpress$PRODUCT$wordpress"]}