Skip to main content

Widget Options

2 CVEs product

Monthly

CVE-2026-54823 CRITICAL Act Now

Code injection in the Widget Options WordPress plugin (versions <= 4.2.3, by marketingfire) allows authenticated users holding the low-privileged Contributor role to achieve remote code execution on the host. Because exploitation only requires a Contributor account - a role frequently granted on multi-author and membership sites - an attacker who can register or compromise such an account can run arbitrary PHP and fully take over the site. There is no public exploit identified at time of analysis, but the 9.9 CVSS and CWE-94 classification place this at the most severe end of WordPress plugin flaws.

Code Injection RCE Widget Options
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2024-35690 MEDIUM This Month

Insertion of sensitive information into sent data vulnerability in MarketingFire Widget Options allows Retrieve Embedded Sensitive Data.0.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Widget Options
NVD
CVSS 3.1
6.5
EPSS
0.3%
EPSS 0% CVSS 9.9
CRITICAL Act Now

Code injection in the Widget Options WordPress plugin (versions <= 4.2.3, by marketingfire) allows authenticated users holding the low-privileged Contributor role to achieve remote code execution on the host. Because exploitation only requires a Contributor account - a role frequently granted on multi-author and membership sites - an attacker who can register or compromise such an account can run arbitrary PHP and fully take over the site. There is no public exploit identified at time of analysis, but the 9.9 CVSS and CWE-94 classification place this at the most severe end of WordPress plugin flaws.

Code Injection RCE Widget Options
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Insertion of sensitive information into sent data vulnerability in MarketingFire Widget Options allows Retrieve Embedded Sensitive Data.0.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Widget Options
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy