Skip to main content

Widget Options CVE-2026-54823

| EUVDEUVD-2026-39365 CRITICAL
Code Injection (CWE-94)
2026-06-25 Patchstack GHSA-28rq-6fmf-79j2
9.9
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable code injection needing only a Contributor account (PR:L) and no interaction; RCE yields full C/I/A, but I assess S:U as execution stays within the WordPress security authority.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 14:18 vuln.today

DescriptionCVE.org

Contributor Remote Code Execution (RCE) in Widget Options <= 4.2.3 versions.

AnalysisAI

Code injection in the Widget Options WordPress plugin (versions <= 4.2.3, by marketingfire) allows authenticated users holding the low-privileged Contributor role to achieve remote code execution on the host. Because exploitation only requires a Contributor account - a role frequently granted on multi-author and membership sites - an attacker who can register or compromise such an account can run arbitrary PHP and fully take over the site. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Contributor account (register or compromise)
Delivery
Access plugin widget/option endpoint
Exploit
Submit crafted code-injection payload
Execution
Plugin evaluates input as PHP
Persist
Execute arbitrary code on server
Impact
Full WordPress site takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account with at least Contributor privileges (CVSS PR:L), and the target site must be running Widget Options 4.2.3 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All severity signals point the same direction: the CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, score 9.9) describes a network-reachable, low-complexity attack requiring only low privileges and no user interaction, with a scope change and full confidentiality/integrity/availability impact - consistent with RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers (or compromises) a Contributor-level account on a WordPress site running Widget Options <= 4.2.3, then submits crafted widget/option input that is processed by the plugin's vulnerable code-generation sink. The injected payload is evaluated as PHP within the WordPress process, giving the attacker arbitrary code execution and a path to full site takeover. …
Remediation Update the Widget Options plugin to the latest release above 4.2.3 as soon as the vendor publishes it; no exact fixed version is named in the available data, so confirm the patched version directly via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/widget-options/vulnerability/wordpress-widget-options-plugin-4-2-3-remote-code-execution-rce-vulnerability) and the plugin's WordPress.org changelog before relying on it - no vendor-released patch version is independently confirmed here. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all WordPress installations using Widget Options plugin; immediately deactivate and remove the plugin from affected sites. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54823 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy