WebsiteBaker 2.13.0 contains an authenticated remote code execution vulnerability affecting users with language editing permissions. The vulnerability is exploitable through the language installation endpoint by manipulating installation parameters. Attackers can achieve arbitrary code execution on the server. The vulnerability requires authentication but provides high impact access to the underlying system. Multiple references and proof-of-concept exploits are available publicly.