Skip to main content

Widget Wrangler EUVDEUVD-2026-15728

| CVE-2026-25447 CRITICAL
Code Injection (CWE-94)
2026-03-25 Patchstack GHSA-f7r3-8xgv-qxr2
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15728
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
CRITICAL 9.1

DescriptionCVE.org

Improper Control of Generation of Code ('Code Injection') vulnerability in Jonathan Daggerhart Widget Wrangler widget-wrangler allows Code Injection.This issue affects Widget Wrangler: from n/a through <= 2.3.9.

AnalysisAI

A Code Injection vulnerability (CWE-94) exists in the Jonathan Daggerhart Widget Wrangler WordPress plugin through version 2.3.9, allowing unauthenticated attackers to execute arbitrary code on affected installations. This Remote Code Execution (RCE) vulnerability enables complete server compromise and data exfiltration. Active exploitation has been documented by Patchstack, indicating this is a practical, real-world threat requiring immediate patching.

Technical ContextAI

The vulnerability resides in the Widget Wrangler plugin for WordPress (CPE: cpe:2.3:a:jonathan_daggerhart:widget_wrangler:*:*:*:*:*:*:*:*), a widget management tool. The root cause is classified as CWE-94 (Improper Control of Generation of Code), which occurs when the application dynamically generates or evaluates code without proper input sanitization or validation. In this context, the plugin likely processes user-supplied input (possibly through AJAX endpoints, widget configuration parameters, or shortcode attributes) and passes it to PHP evaluation functions such as eval(), assert(), or create_function() without adequate escaping. WordPress plugins are particularly susceptible to such flaws because they operate within the WordPress core context with direct database and filesystem access, amplifying the impact of code injection.

RemediationAI

Immediately upgrade Jonathan Daggerhart Widget Wrangler to the patched version (a version higher than 2.3.9 should be available from the official WordPress plugin repository or the vendor's site). After upgrading, verify the plugin is active and reload all pages to ensure the patch is in effect. Until patching is possible, disable or deactivate the Widget Wrangler plugin entirely to prevent exploitation. If deactivation is not feasible due to operational dependencies, restrict direct access to the WordPress installation via network-level controls (IP whitelisting, WAF rules) and monitor server logs for suspicious AJAX requests or code evaluation patterns. See Patchstack's security advisory at https://patchstack.com/database/Wordpress/Plugin/widget-wrangler/vulnerability/wordpress-widget-wrangler-plugin-2-3-9-remote-code-execution-rce-vulnerability for vendor patch details and timeline.

Share

EUVD-2026-15728 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy