Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-94 (对生成代码的控制不恰当(代码注入)) — Vulnerability Class 1335

1335 vulnerabilities classified as CWE-94 (对生成代码的控制不恰当(代码注入)). AI Chinese analysis included.

CWE-94 represents a critical code injection weakness where software constructs executable code using untrusted input without proper sanitization. Attackers typically exploit this vulnerability by injecting malicious scripts or commands into user-supplied fields, such as web forms or API parameters, which the application then executes directly. This allows adversaries to bypass security controls, steal sensitive data, or gain unauthorized administrative access to the underlying system. To prevent such exploits, developers must rigorously validate and sanitize all external inputs, ensuring that only expected characters are processed. Implementing strict allow-listing strategies, utilizing parameterized queries for database interactions, and avoiding dynamic code execution functions like eval() are essential defensive measures. By treating all user input as potentially hostile and applying robust encoding techniques, organizations can effectively neutralize injection vectors and maintain application integrity.

MITRE CWE Description
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Common Consequences (4)
Access ControlBypass Protection Mechanism
In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
Access ControlGain Privileges or Assume Identity
Injected code can access resources that the attacker is directly prevented from accessing.
Integrity, Confidentiality, AvailabilityExecute Unauthorized Code or Commands
When a product allows a user's input to contain code syntax, it might be possible for an attacker to craft the code in such a way that it will alter the intended control flow of the product. As a result, code injection can often result in the execution of arbitrary code. Code injection attacks can…
Non-RepudiationHide Activities
Often the actions performed by injected control code are unlogged.
Mitigations (5)
Architecture and DesignRefactor your program so that you do not have to dynamically generate code.
Architecture and DesignRun your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating s…
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
TestingUse dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
OperationRun the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
Examples (2)
This example attempts to write user messages to a message file and allow users to view them.
$MessageFile = "messages.out"; if ($_GET["action"] == "NewMessage") { $name = $_GET["name"]; $message = $_GET["message"]; $handle = fopen($MessageFile, "a+"); fwrite($handle, "<b>$name</b> says '$message'<hr>\n"); fclose($handle); echo "Message Saved!<p>\n"; } else if ($_GET["action"] == "ViewMessages") { include($MessageFile); }
Bad · PHP
name=h4x0r message=%3C?php%20system(%22/bin/ls%20-l%22);?%3E
Attack
edit-config.pl: This CGI script is used to modify settings in a configuration file.
use CGI qw(:standard); sub config_file_add_key { my ($fname, $key, $arg) = @_; # code to add a field/key to a file goes here } sub config_file_set_key { my ($fname, $key, $arg) = @_; # code to set key to a particular file goes here } sub config_file_delete_key { my ($fname, $key, $arg) = @_; # code to delete key from a particular file goes here } sub handleConfigAction { my ($fname, $action) = @_; my $key = param('key'); my $val = param('val'); # this is super-efficient code, especially if you have to invoke # any one of dozens of different functions! my $code = "config_file_$action_key(\$fnam
Bad · Perl
add_key(",","); system("/bin/ls");
Attack
CVE IDTitleCVSSSeverityPublished
CVE-2025-1465 lmxcms Maintenance db.inc.php code injection — lmxcms 4.1 Medium2025-02-19
CVE-2024-13689 Uncode Core <= 2.9.1.6 - Authenticated (Subscriber+) Arbitrary Shortcode Execution in uncode_get_medias — Uncode Core 6.3 Medium2025-02-18
CVE-2024-13797 PressMart - Modern Elementor WooCommerce WordPress Theme <= 1.2.16 - Unauthenticated Arbitrary Shortcode Execution — PressMart - Modern Elementor WooCommerce WordPress Theme 7.3 High2025-02-18
CVE-2025-1302 JSONPath Plus 安全漏洞 — jsonpath-plus 9.8 Critical2025-02-15
CVE-2024-13345 Avada Builder <= 3.11.13 - Unauthenticated Arbitrary Shortcode Execution — Avada (Fusion) Builder 7.3 High2025-02-13
CVE-2024-13346 Avada Theme <= 7.11.13 - Unauthenticated Arbitrary Shortcode Execution — Avada | Website Builder For WordPress & WooCommerce 7.3 High2025-02-13
CVE-2024-13814 Global Gallery - WordPress Responsive Gallery <= 9.1.5 - Authenticated (Subscriber+) Arbitrary Shortcode Execution — Global Gallery - WordPress Responsive Gallery 5.4 Medium2025-02-12
CVE-2024-10644 Ivanti Connect Secure 代码注入漏洞 — Connect Secure 9.1 Critical2025-02-11
CVE-2024-7425 WP All Export Pro <= 1.9.1 - Authenticated (ShopManager+) Arbtirary Options Update — WP All Export Pro 6.8 Medium2025-02-07
CVE-2024-7419 WP All Export Pro <= 1.9.1 - Unauthenticated Remote Code Execution via Custom Export Fields — WP All Export Pro 8.3 High2025-02-07
CVE-2024-13487 CURCY – Multi Currency for WooCommerce <= 2.2.5 - Unauthenticated Arbitrary Shortcode Execution via get_products_price Function — CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x 7.3 High2025-02-06
CVE-2025-25246 NETGEAR XR1000和NETGEAR XR500 安全漏洞 — XR1000 8.1 High2025-02-05
CVE-2025-24677 WordPress Post/Page Copying Tool to Export and Import post/page for Cross site Migration Plugin <= 2.0.3 - Remote Code Execution (RCE) vulnerability — Post/Page Copying Tool 9.9 Critical2025-02-04
CVE-2025-22204 Extension - regularlabs.com - Remote code execution vulnerability in the Sourcerer extensions < 12.0.0 for Joomla — Sourcerer for Joomla 9.8 -2025-02-04
CVE-2025-24959 Environment Variable Injection for dotenv API in zx — zx 9.8 -2025-02-03
CVE-2024-12415 AI Infographic Maker <= 4.9.0 - Unauthenticated Arbitrary Shortcode Execution — AI Infographic Maker 6.5 Medium2025-01-31
CVE-2024-13472 WooCommerce Product Table Lite <= 3.9.4 - Unauthenticated Arbitrary Shortcode Execution & Reflected Cross-Site Scripting — Product Table and List Builder for WooCommerce Lite 7.3 High2025-01-31
CVE-2024-23921 ChargePoint Home Flex Command Injection — Home Flex 8.8 High2025-01-31
CVE-2024-23963 Alpine Halo9 Stack-based Buffer Overflow — Halo9 8.0 High2025-01-30
CVE-2024-11600 Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg <= 1.6.0 - Authenticated (Administrator+) Remote Code Execution — Borderless – Addons and Templates for Elementor 7.2 High2025-01-30
CVE-2024-13453 Contact Form & SMTP Plugin for WordPress by PirateForms <= 2.6.0 - Unauthenticated Arbitrary Shortcode Execution — Contact Form & SMTP Plugin for WordPress by PirateForms 7.3 High2025-01-30
CVE-2024-10001 Code Injection Vulnerability in GitHub Enterprise Server Allows Arbitrary Code Execution via Message Handling — Enterprise Server 8.3 -2025-01-29
CVE-2025-24482 FactoryTalk® View Site Edition - Local Code Injection — FactoryTalk® View Site Edition 7.8 -2025-01-28
CVE-2024-13499 GamiPress <= 7.2.1 - Unauthenticated Arbitrary Shortcode Execution via gamipress_do_shortcode() Function — GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress 7.3 High2025-01-22
CVE-2024-13495 GamiPress <= 7.2.1 - Unauthenticated Arbitrary Shortcode Execution via gamipress_ajax_get_logs Function — GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress 7.3 High2025-01-22
CVE-2024-51941 Apache Ambari: Remote Code Injection in Ambari Metrics and AMS Alerts — Apache Ambari 8.8 -2025-01-21
CVE-2025-23209 Potential RCE with a compromised security key in craft/cms — cms 8.1 High2025-01-18
CVE-2024-10970 Motors – Car Dealer, Classifieds & Listing <= 1.4.43 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via Custom Title — Motors – Car Dealership & Classified Listings Plugin 5.4 Medium2025-01-16
CVE-2025-23061 Mongoose 代码注入漏洞 — Mongoose 9.0 Critical2025-01-15
CVE-2024-49375 Remote Code Execution via Remote Model Loading in Rasa — rasa-pro-security-advisories 9.1 Critical2025-01-14

Vulnerabilities classified as CWE-94 (对生成代码的控制不恰当(代码注入)) represent 1335 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.