Remote Code Execution in Widget Options Plugin for WordPress
CVE-2026-2052

8.8HIGH

Key Information:

Vendor: WordPress
Status: Widget Options – Advanced Conditional Visibility For Gutenberg Blocks & Classic Widgets; Widget Options - Extended
Vendor: CVE Published:; 2 May 2026

What is CVE-2026-2052?

The Widget Options plugin for WordPress, specifically the Advanced Conditional Visibility feature, is susceptible to Remote Code Execution due to improper handling of user-supplied Display Logic expressions. Versions up to 4.2.2 utilize eval() without sufficient validation, allowing authenticated attackers with Contributor-level permissions or higher to execute arbitrary code on the server. This vulnerability arises from inadequate filtering in the blocklist/allowlist and insufficient authorization checks on certain attributes. Although it was partially addressed in version 4.2.0, users are encouraged to verify their installations and apply recommended updates to ensure security.

Affected Version(s)

Widget Options - Extended 0 <= 5.3.2

Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets 0 <= 4.2.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/widget-options...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 2, 2026
Vulnerability Reserved
Feb 6, 2026

Credit

Matthew Rollings

Hung Nguyen

CVE-2026-2052 Data

JSON