Widget Options < 4.2.3 – Contributor+ Remote Code Execution via Display Logic | CVE 2026-2052 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Remote Code Execution via the Display Logic feature due to the use of eval() on user-supplied Display Logic expressions with an insufficient blocklist/allowlist that can be bypassed using array_map with string concatenation, combined with a lack of authorization enforcement on the extended_widget_opts_block attribute. This makes it possible for authenticated attackers with Contributor-level access and above to execute code on the server. The vulnerability was partially patched in version 4.2.0.

Affects Plugins

extended-widget-options

Fixed in 5.3.3

Fixed in 4.2.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/68023557-fc92-4cf6-96b4-405ff5a5fd5a

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

stealthcopter, Hung Nguyen (bashu)

Verified

No

WPVDB ID

7f286af9-23c3-44e6-b733-cde57761e274

Timeline

Publicly Published

2026-05-01 (about 12 days ago)

Added

2026-05-04 (about 9 days ago)

Last Updated

2026-05-04 (about 9 days ago)

Other

Published

Title

Published

2026-03-20

Title

Kali Forms < 2.4.10 - Unauthenticated Remote Code Execution via form_process

Published

2014-08-01

Title

Money - wp-content/themes/MoneyTheme/uploads/upload.php File Upload Remote Code Execution

Published

2015-03-18

Title

Ajax Search Lite < 3.11 - Authenticated RCE

Published

2024-04-05

Title

Advanced Order Export For WooCommerce < 3.4.5 - Shop Manager+ Remote Code Execution

Published

2019-07-15

Title

Ad Inserter <= 2.4.21 - Authenticated Remote Code Execution