Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable AJAX action, low complexity, and only subscriber authentication (PR:L) yield full code-execution impact (C:H/I:H/A:H) with no scope change.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The Widget Logic Visual plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.52 via the widget_logic_visual_check_visibility function. This is due to missing capability check and nonce verification on the widget-logic-update-conditional-tags AJAX action combined with insufficient sanitization of the 'nwlv[cod-tag]' parameter before storage and subsequent use in an eval() call. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute code on the server.
AnalysisAI
Remote code execution in the Widget Logic Visual WordPress plugin (all versions through 1.52) lets low-privileged authenticated users run arbitrary PHP on the server. The flaw stems from the widget-logic-update-conditional-tags AJAX action lacking a capability check and nonce verification, allowing any subscriber-and-above account to store attacker-controlled data in the 'nwlv[cod-tag]' parameter that is later passed to an eval() call by widget_logic_visual_check_visibility. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated account with subscriber-level access or above (CVSS PR:L) on a WordPress site where the Widget Logic Visual plugin (<= 1.52) is installed and active; the attacker must reach the widget-logic-update-conditional-tags AJAX action via admin-ajax.php and supply a PHP payload in the 'nwlv[cod-tag]' parameter, which is then evaluated by widget_logic_visual_check_visibility through eval(). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine high-priority issue for any site running the plugin: the CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N, C:H/I:H/A:H, score 8.8) describes network-reachable, low-complexity RCE requiring only subscriber-level authentication and no user interaction - a very low bar on sites that permit self-registration - with full compromise across confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or obtains a subscriber-level account on a WordPress site running Widget Logic Visual, then sends a crafted POST to admin-ajax.php invoking the widget-logic-update-conditional-tags action with a malicious PHP payload in the 'nwlv[cod-tag]' parameter. Because the handler performs no capability or nonce check, the payload is stored and subsequently executed by the plugin's eval() call, granting arbitrary code execution on the server. … |
| Remediation | No vendor-released patched version was identified at time of analysis - the references point to the plugin's WordPress trac trunk source rather than a tagged fixed release, so administrators should monitor the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/5d82e9e2-c572-4911-a6a5-1384844214b0) and the plugin's WordPress.org page for a release above 1.52 and apply it as soon as it ships. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations for Widget Logic Visual plugin presence; identify all subscriber-and-above user accounts and assess credential exposure risk. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42161
GHSA-q799-r857-2h8x