WordPress Plugin Vulnerabilities

Widget Logic < 6.0.6 - Contributor+ Remote Code Execution

Description

The plugin is vulnerable to Remote Code Execution. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

Affects Plugins

Plugin icon
widget-logic
Fixed in 6.0.6

References

CVE
CVE-2025-32222
URL
https://patchstack.com/database/wordpress/plugin/widget-logic/vulnerability/wordpress-widget-logic-6-0-5-remote-code-execution-rce-vulnerability

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
7.2 (high)

Miscellaneous

Original Researcher
ch4r0n
Verified
No
WPVDB ID
0fe04d83-9ef4-4266-87e0-c2ff4883009f

Timeline

Publicly Published
2025-06-09 (about 11 months ago)
Added
2025-06-19 (about 10 months ago)
Last Updated
2025-07-25 (about 9 months ago)

Other

Published
Title
Published
2025-10-21
Title
Stockie Extra < 1.2.12 - Unauthenticated Arbitrary Shortcode Execution
Published
2024-12-11
Title
Grid Plus – Unlimited grid layout <= 1.3.5 - Unauthenticated Arbitrary Shortcode Execution via grid_plus_load_by_category
Published
2022-12-23
Title
User Post Gallery <= 2.19 - Unauthenticated RCE
Published
2023-12-15
Title
Duplicator < 1.3.0 - Unauthenticated RCE
Published
2023-09-05
Title
Media Library Assistant < 3.10 - Unauthenticated Local/Remote File Inclusion & Remote Code Execution