Nelio A/B Testing – AB Tests and Heatmaps for Better Conversion Optimization < 8.2.8 – Authenticated (Editor+) Remote Code Execution | CVE 2026-32573 | Plugin Vulnerabilities

Description

The Nelio A/B Testing – AB Tests and Heatmaps for Better Conversion Optimization plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.2.7. This makes it possible for authenticated attackers, with Editor-level access and above, to execute code on the server.

Affects Plugins

nelio-ab-testing

Fixed in 8.2.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/f96d99dc-df3a-4b01-b276-08a85860720e

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

daroo

Verified

No

WPVDB ID

9e2f085b-779c-47b4-af64-e5fa74dac486

Timeline

Publicly Published

2026-03-23 (about 2 months ago)

Added

2026-04-02 (about 1 month ago)

Last Updated

2026-04-02 (about 1 month ago)

Other

Published

Title

Published

2018-11-11

Title

Simple Link Directory < 5.6.0 - Authenticated PHP Object Injection

Published

2022-02-08

Title

PHP Everywhere < 3.0.0 - Contributor+ RCE via Gutenberg Block

Published

2025-03-28

Title

Shortcodes by United Themes < 5.1.7 - Unauthenticated Arbitrary Shortcode Execution

Published

2026-03-16

Title

ACPT (Pro) - Custom Post Types Plugin for WordPress <= 2.0.47 - Unauthenticated Remote Code Execution

Published

2024-11-27

Title

Widget Options < 4.0.8 - Contributor+ Remote Code Execution