Skip to main content

Widget Logic Visual

1 CVEs product

Monthly

CVE-2026-14158 HIGH This Week

Remote code execution in the Widget Logic Visual WordPress plugin (all versions through 1.52) lets low-privileged authenticated users run arbitrary PHP on the server. The flaw stems from the widget-logic-update-conditional-tags AJAX action lacking a capability check and nonce verification, allowing any subscriber-and-above account to store attacker-controlled data in the 'nwlv[cod-tag]' parameter that is later passed to an eval() call by widget_logic_visual_check_visibility. Reported by Wordfence with no public exploit identified at time of analysis and no CISA KEV listing.

WordPress RCE File Upload Widget Logic Visual
NVD VulDB
CVSS 3.1
8.8
EPSS
0.5%
EPSS 1% CVSS 8.8
HIGH This Week

Remote code execution in the Widget Logic Visual WordPress plugin (all versions through 1.52) lets low-privileged authenticated users run arbitrary PHP on the server. The flaw stems from the widget-logic-update-conditional-tags AJAX action lacking a capability check and nonce verification, allowing any subscriber-and-above account to store attacker-controlled data in the 'nwlv[cod-tag]' parameter that is later passed to an eval() call by widget_logic_visual_check_visibility. Reported by Wordfence with no public exploit identified at time of analysis and no CISA KEV listing.

WordPress RCE File Upload +1
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy