What the vulnerability does
01Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection.This issue affects Nelio AB Testing: from n/a through <= 8.1.8.
Explanation of Vulnerability in Simple Terms
02Summary
Nelio AB Testing versions 8.1.8 and earlier allow high-privilege users to inject and execute arbitrary code on the site. An attacker with administrator or equivalent access can run their own PHP code, potentially compromising the entire WordPress installation. Update to a version newer than 8.1.8 immediately.
What an attacker can do
03Attacker Capabilities
Run arbitrary PHP code on the site with full site access.
Potential impact on your site
04Site Impact
A compromised admin account can execute code affecting all site data, users, and functionality.
Conditions required to exploit
05Prerequisites
Attacker must have high-level admin or equivalent privileges on the site.
Key dates
06Disclosure timeline
January 22, 2026
CVE published
April 28, 2026
Record updated