WordPress Plugin Vulnerabilities

Widget Options < 4.1.1 - Contributor+ Remote Code Execution

Description

The plugin is vulnerable to Remote Code Execution. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

Affects Plugins

Plugin icon
widget-options
Fixed in 4.1.1

References

CVE
CVE-2025-22630
URL
https://patchstack.com/database/wordpress/plugin/widget-options/vulnerability/wordpress-widget-options-plugin-4-1-0-arbitrary-code-execution-vulnerability

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Tran Nguyen Bao Khanh
Verified
No
WPVDB ID
c1d806d4-3a84-46a4-ab1d-edaa689ac7a3

Timeline

Publicly Published
2025-02-11 (about 1 year ago)
Added
2025-02-20 (about 1 year ago)
Last Updated
2025-02-20 (about 1 year ago)

Other

Published
Title
Published
2014-10-12
Title
Work-The-Flow 1.2.1 - Shell Upload
Published
2022-03-22
Title
Woo Product Table < 3.1.2 - Unauthenticated Arbitrary Function Call
Published
2026-03-05
Title
WP All Import < 4.0.1 - Reflected Cross-Site Scripting via 'filepath'
Published
2016-04-12
Title
Robo Gallery <= 2.0.14 - Remote Code Execution
Published
2025-01-21
Title
GamiPress < 7.2.2 - Unauthenticated Arbitrary Shortcode Execution via gamipress_ajax_get_logs Function