Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper Control of Generation of Code ('Code Injection') vulnerability in Jonathan Daggerhart Widget Wrangler widget-wrangler allows Code Injection.This issue affects Widget Wrangler: from n/a through <= 2.3.9.
AnalysisAI
A Code Injection vulnerability (CWE-94) exists in the Jonathan Daggerhart Widget Wrangler WordPress plugin through version 2.3.9, allowing unauthenticated attackers to execute arbitrary code on affected installations. This Remote Code Execution (RCE) vulnerability enables complete server compromise and data exfiltration. Active exploitation has been documented by Patchstack, indicating this is a practical, real-world threat requiring immediate patching.
Technical ContextAI
The vulnerability resides in the Widget Wrangler plugin for WordPress (CPE: cpe:2.3:a:jonathan_daggerhart:widget_wrangler:*:*:*:*:*:*:*:*), a widget management tool. The root cause is classified as CWE-94 (Improper Control of Generation of Code), which occurs when the application dynamically generates or evaluates code without proper input sanitization or validation. In this context, the plugin likely processes user-supplied input (possibly through AJAX endpoints, widget configuration parameters, or shortcode attributes) and passes it to PHP evaluation functions such as eval(), assert(), or create_function() without adequate escaping. WordPress plugins are particularly susceptible to such flaws because they operate within the WordPress core context with direct database and filesystem access, amplifying the impact of code injection.
RemediationAI
Immediately upgrade Jonathan Daggerhart Widget Wrangler to the patched version (a version higher than 2.3.9 should be available from the official WordPress plugin repository or the vendor's site). After upgrading, verify the plugin is active and reload all pages to ensure the patch is in effect. Until patching is possible, disable or deactivate the Widget Wrangler plugin entirely to prevent exploitation. If deactivation is not feasible due to operational dependencies, restrict direct access to the WordPress installation via network-level controls (IP whitelisting, WAF rules) and monitor server logs for suspicious AJAX requests or code evaluation patterns. See Patchstack's security advisory at https://patchstack.com/database/Wordpress/Plugin/widget-wrangler/vulnerability/wordpress-widget-wrangler-plugin-2-3-9-remote-code-execution-rce-vulnerability for vendor patch details and timeline.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15728
GHSA-f7r3-8xgv-qxr2