CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

We have discovered 1,503,676 live websites that are affected by CWE-94.

Available Reports

Website List

CVEs

Count - 152

CWE References

cwe.mitre.org

Website Distribution by Country

Number of websites using CWE-94

United States	396,228 websites

Germany	147,014 websites
Italy	87,601 websites
France	85,403 websites
GB	67,052 websites
Spain	51,050 websites
Netherlands	41,874 websites
Japan	41,137 websites
Russia	37,562 websites
Poland	36,718 websites

Website Distribution by TLD

Number of websites using CWE-94

.com	625,917 websites
.de	78,590 websites
.org	62,419 websites
.it	62,348 websites
.co.uk	40,671 websites
.nl	36,829 websites
.net	34,408 websites
.fr	33,345 websites
.com.br	31,623 websites
.ru	29,924 websites

Newest CVEs

List of the most recent CVEs that are part of CWE-94

Discovered	CVE	Description	Websites
Dec, 2025	CVE-2025-13642	ProfilePress <= 4.16.7 - Authenticated (Subscriber+) Arbitrary Shortcode Execution	49,753
Dec, 2025	CVE-2024-32641	Masa CMS Vulnerable to Pre-Auth RCE via JSON API	49
Dec, 2025	CVE-2025-13486	Advanced Custom Fields: Extended 0.9.0.5 - 0.9.1.1 - Unauthenticated Remote Code Execution in prepare_form	573
Dec, 2025	CVE-2025-66294	Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass	15
Dec, 2025	CVE-2025-66299	Security Sandbox Bypass with SSTI (Server Side Template Injection) in the Grav CMS	15
Nov, 2025	CVE-2025-13035	Code Snippets <= 3.9.1 - Authenticated (Contributor+) PHP Code Injection via extract() and PHP Filter Chains	15
Nov, 2025	CVE-2025-7711	Classified Listing – Classified ads & Business Directory Plugin <= 5.0.3 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via Listing Description	590
Nov, 2025	CVE-2025-9334	Better Find and Replace <= 1.7.7 - Authenticated (Subscriber+) Limited Code Injection	11,871
Nov, 2025	CVE-2025-6990	Kallyas <= 4.24.0 - Authenticated (Contributor+) Remote Code Execution	12,401
Nov, 2025	CVE-2025-10487	Advanced Ads <= 2.0.12 - Unauthenticated Limited Code Execution	33,351

The most widespread CVEs

List of the most common CVEs that are part of CWE-94

Discovered	CVE	Description	Websites
Jan, 2024	CVE-2023-6528	Slider Revolution < 6.6.19 - Author+ Insecure Deserialization leading to RCE	1,019,850
Jun, 2023	CVE-2023-2359	Revolution Slider <= 6.6.12 - Author+ Remote Code Execution	931,825
Feb, 2025	CVE-2024-13346	Avada Theme <= 7.11.13 - Unauthenticated Arbitrary Shortcode Execution	114,078
Dec, 2025	CVE-2025-13642	ProfilePress <= 4.16.7 - Authenticated (Subscriber+) Arbitrary Shortcode Execution	49,753
Dec, 2024	CVE-2024-12238	Ninja Forms – The Contact Form Builder That Grows With You <= 3.8.22 - Authenticated (Subscriber+) Arbitrary Shortcode Execution	46,655
Jul, 2024	CVE-2024-37934	WordPress Ninja Forms plugin <= 3.8.4 - Subscriber+ Arbitrary Shortcode Execution vulnerability	39,439
Jul, 2025	CVE-2025-6744	Woodmart <= 8.2.3 - Unauthenticated Arbitrary Shortcode Execution	38,887
Jan, 2025	CVE-2024-11733	WordPress Popular Posts <= 7.1.0 - Unauthenticated Arbitrary Shortcode Execution	36,585
Dec, 2023	CVE-2023-49830	WordPress Astra Pro Plugin <= 4.3.1 is vulnerable to Remote Code Execution (RCE)	34,910
Feb, 2025	CVE-2024-13345	Avada Builder <= 3.11.13 - Unauthenticated Arbitrary Shortcode Execution	34,418

Websites affected by CWE-94

Top websites that are affected by CWE-94. Please click on the "Contact us" link to get more information.

Domain	Country	Rank
*****.com	United States	***
****.com	United States	***
******.**.com	United States	***
*.*******.com	Singapore	,**
*****.pl	Poland	,**
***********..za	South Africa	,**
******.com	United States	,**
***.int	Switzerland	,**
*****.com	United States	,**
**********.org	United States	,**

See full domain list