Widget Options
Monthly
Code injection in the Widget Options WordPress plugin (versions <= 4.2.3, by marketingfire) allows authenticated users holding the low-privileged Contributor role to achieve remote code execution on the host. Because exploitation only requires a Contributor account - a role frequently granted on multi-author and membership sites - an attacker who can register or compromise such an account can run arbitrary PHP and fully take over the site. There is no public exploit identified at time of analysis, but the 9.9 CVSS and CWE-94 classification place this at the most severe end of WordPress plugin flaws.
Insertion of sensitive information into sent data vulnerability in MarketingFire Widget Options allows Retrieve Embedded Sensitive Data.0.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Code injection in the Widget Options WordPress plugin (versions <= 4.2.3, by marketingfire) allows authenticated users holding the low-privileged Contributor role to achieve remote code execution on the host. Because exploitation only requires a Contributor account - a role frequently granted on multi-author and membership sites - an attacker who can register or compromise such an account can run arbitrary PHP and fully take over the site. There is no public exploit identified at time of analysis, but the 9.9 CVSS and CWE-94 classification place this at the most severe end of WordPress plugin flaws.
Insertion of sensitive information into sent data vulnerability in MarketingFire Widget Options allows Retrieve Embedded Sensitive Data.0.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.