Skip to main content

Widget Logic Visual EUVDEUVD-2026-42161

| CVE-2026-14158 HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-07-08 Wordfence GHSA-q799-r857-2h8x
8.8
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable AJAX action, low complexity, and only subscriber authentication (PR:L) yield full code-execution impact (C:H/I:H/A:H) with no scope change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 05:29 vuln.today
CVE Published
Jul 08, 2026 - 04:30 nvd
HIGH 8.8

DescriptionCVE.org

The Widget Logic Visual plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.52 via the widget_logic_visual_check_visibility function. This is due to missing capability check and nonce verification on the widget-logic-update-conditional-tags AJAX action combined with insufficient sanitization of the 'nwlv[cod-tag]' parameter before storage and subsequent use in an eval() call. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute code on the server.

AnalysisAI

Remote code execution in the Widget Logic Visual WordPress plugin (all versions through 1.52) lets low-privileged authenticated users run arbitrary PHP on the server. The flaw stems from the widget-logic-update-conditional-tags AJAX action lacking a capability check and nonce verification, allowing any subscriber-and-above account to store attacker-controlled data in the 'nwlv[cod-tag]' parameter that is later passed to an eval() call by widget_logic_visual_check_visibility. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain subscriber-level account
Delivery
POST to admin-ajax.php widget-logic-update-conditional-tags
Exploit
Inject PHP in nwlv[cod-tag]
Execution
Stored without capability/nonce check
Persist
eval() executes payload
Impact
Arbitrary code execution on server

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated account with subscriber-level access or above (CVSS PR:L) on a WordPress site where the Widget Logic Visual plugin (<= 1.52) is installed and active; the attacker must reach the widget-logic-update-conditional-tags AJAX action via admin-ajax.php and supply a PHP payload in the 'nwlv[cod-tag]' parameter, which is then evaluated by widget_logic_visual_check_visibility through eval(). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine high-priority issue for any site running the plugin: the CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N, C:H/I:H/A:H, score 8.8) describes network-reachable, low-complexity RCE requiring only subscriber-level authentication and no user interaction - a very low bar on sites that permit self-registration - with full compromise across confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a subscriber-level account on a WordPress site running Widget Logic Visual, then sends a crafted POST to admin-ajax.php invoking the widget-logic-update-conditional-tags action with a malicious PHP payload in the 'nwlv[cod-tag]' parameter. Because the handler performs no capability or nonce check, the payload is stored and subsequently executed by the plugin's eval() call, granting arbitrary code execution on the server. …
Remediation No vendor-released patched version was identified at time of analysis - the references point to the plugin's WordPress trac trunk source rather than a tagged fixed release, so administrators should monitor the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/5d82e9e2-c572-4911-a6a5-1384844214b0) and the plugin's WordPress.org page for a release above 1.52 and apply it as soon as it ships. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations for Widget Logic Visual plugin presence; identify all subscriber-and-above user accounts and assess credential exposure risk. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42161 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy