Remote Code Execution in Widget Logic Visual Plugin for WordPress
CVE-2026-14158
8.8HIGH
What is CVE-2026-14158?
The Widget Logic Visual plugin for WordPress introduces a serious security flaw that allows authenticated attackers, with subscriber-level access or higher, to execute arbitrary code on the server. This vulnerability stems from a lack of capability checks and nonce verification in the widget_logic_visual_check_visibility function, specifically during the widget-logic-update-conditional-tags AJAX action. Furthermore, insufficient sanitization of the 'nwlv[cod-tag]' parameter before it is processed in an eval() call exacerbates the issue, facilitating potential exploitation.
Affected Version(s)
Widget Logic Visual 0 <= 1.52