Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable code injection needing only a Contributor account (PR:L) and no interaction; RCE yields full C/I/A, but I assess S:U as execution stays within the WordPress security authority.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Contributor Remote Code Execution (RCE) in Widget Options <= 4.2.3 versions.
AnalysisAI
Code injection in the Widget Options WordPress plugin (versions <= 4.2.3, by marketingfire) allows authenticated users holding the low-privileged Contributor role to achieve remote code execution on the host. Because exploitation only requires a Contributor account - a role frequently granted on multi-author and membership sites - an attacker who can register or compromise such an account can run arbitrary PHP and fully take over the site. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress account with at least Contributor privileges (CVSS PR:L), and the target site must be running Widget Options 4.2.3 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All severity signals point the same direction: the CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, score 9.9) describes a network-reachable, low-complexity attack requiring only low privileges and no user interaction, with a scope change and full confidentiality/integrity/availability impact - consistent with RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers (or compromises) a Contributor-level account on a WordPress site running Widget Options <= 4.2.3, then submits crafted widget/option input that is processed by the plugin's vulnerable code-generation sink. The injected payload is evaluated as PHP within the WordPress process, giving the attacker arbitrary code execution and a path to full site takeover. … |
| Remediation | Update the Widget Options plugin to the latest release above 4.2.3 as soon as the vendor publishes it; no exact fixed version is named in the available data, so confirm the patched version directly via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/widget-options/vulnerability/wordpress-widget-options-plugin-4-2-3-remote-code-execution-rce-vulnerability) and the plugin's WordPress.org changelog before relying on it - no vendor-released patch version is independently confirmed here. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all WordPress installations using Widget Options plugin; immediately deactivate and remove the plugin from affected sites. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Widget Options
View allSame weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39365
GHSA-28rq-6fmf-79j2