Remote Code Execution Vulnerability in Widget Options Plugin for WordPress
CVE-2024-8672
Key Information
- Vendor
- Marketingfire
- Status
- Widget Options β The #1 WordPress Widget & Block Control Plugin
- Vendor
- CVE Published:
- 28 November 2024
Badges
Summary
CVE-2024-8672 identifies a critical Remote Code Execution vulnerability within the Widget Options plugin for WordPress. This issue affects all versions up to and including 4.0.7, allowing authenticated attackers with contributor-level access and higher to submit unfiltered input that is processed using the eval() function in the display logic feature. This significant flaw enables malicious code execution on the server, posing serious risks to website integrity and security. Affected users should note that previous recommendations to implement an allowlist of executable functions and restrict command execution to administrators have not been addressed by the vendor. Although a patch exists, potential residual risks may still linger due to the incomplete mitigation of the vulnerability.
Affected Version(s)
Widget Options β The #1 WordPress Widget & Block Control Plugin <= 4.0.7
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
Vulnerability published
Vulnerability Reserved