Vulnerabilities and security researches forinsert-php insert-php

Mar 30, 2026

CVE, Research URL: CVE-2026-25366
Home page URL: Security reports for Woody code snippets – Insert Header Footer Code, AdSense Ads
Application: Woody code snippets – Insert Header Footer Code, AdSense Ads
Date: Mar 25, 2026
Research Description: Improper Control of Generation of Code ('Code Injection') vulnerability in Themeisle Woody ad snippets insert-php allows Code Injection.This issue affects Woody ad snippets: from n/a through <= 2.7.1.
Affected versions: max 2.7.1.
Status: vulnerable

Jun 17, 2024

CVE, Research URL: CVE-2024-3105
Home page URL: Security reports for Woody code snippets – Insert Header Footer Code, AdSense Ads
Application: Woody code snippets – Insert Header Footer Code, AdSense Ads
Date: Jun 15, 2024
Research Description: The Woody code snippets – Insert Header Footer Code, AdSense Ads plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.5.0 via the 'insert_php' shortcode. This is due to the plugin not restricting the usage of the functionality to high level authorized users. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server.
Affected versions: max 2.5.1.
Status: vulnerable

Jun 10, 2024

CVE, Research URL: CVE-2024-35751
Home page URL: Security reports for Woody code snippets – Insert Header Footer Code, AdSense Ads
Application: Woody code snippets – Insert Header Footer Code, AdSense Ads
Date: Jun 08, 2024
Research Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Creative Motion, Will Bontrager Software, LLC Woody ad snippets allows Stored XSS.This issue affects Woody ad snippets: from n/a through 2.4.10.
Affected versions: max 2.5.1.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2019-15858
Home page URL: Security reports for Woody code snippets – Insert Header Footer Code, AdSense Ads
Application: Woody code snippets – Insert Header Footer Code, AdSense Ads
Date: Sep 03, 2019
Research Description: admin/includes/class.import.snippet.php in the "Woody ad snippets" plugin before 2.2.5 for WordPress allows unauthenticated options import, as demonstrated by storing an XSS payload for remote code execution.
Affected versions: max 2.2.5.
Status: vulnerable

CVE, Research URL: CVE-2019-14773
Home page URL: Security reports for Woody code snippets – Insert Header Footer Code, AdSense Ads
Application: Woody code snippets – Insert Header Footer Code, AdSense Ads
Date: Aug 09, 2019
Research Description: admin/includes/class.actions.snippet.php in the "Woody ad snippets" plugin through 2.2.5 for WordPress allows wp-admin/admin-post.php?action=close&post= deletion.
Affected versions: max 2.4.6.
Status: vulnerable

CVE, Research URL: -
Home page URL: Security reports for Woody code snippets – Insert Header Footer Code, AdSense Ads
Application: Woody code snippets – Insert Header Footer Code, AdSense Ads
Date: Jun 07, 2023
Research Description: Rejected reason: CVE split into individual CVE IDs for each software record.
Affected versions: max 2.3.10.
Status: vulnerable

CVE, Research URL: CVE-2019-16289
Home page URL: Security reports for Woody code snippets – Insert Header Footer Code, AdSense Ads
Application: Woody code snippets – Insert Header Footer Code, AdSense Ads
Date: Sep 13, 2019
Research Description: The insert-php (aka Woody ad snippets) plugin before 2.2.8 for WordPress allows authenticated XSS via the winp_item parameter.
Affected versions: max 2.2.9.
Status: vulnerable

CVE, Research URL: CVE-2020-36759
Home page URL: Security reports for Woody code snippets – Insert Header Footer Code, AdSense Ads
Application: Woody code snippets – Insert Header Footer Code, AdSense Ads
Date: Oct 20, 2023
Research Description: The Woody code snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.9. This is due to missing or incorrect nonce validation on the runActions() function. This makes it possible for unauthenticated attackers to activate and deactivate snippets via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 2.3.10.
Status: vulnerable