CVE-2026-25447
Received Received - Intake
Code Injection in Widget Wrangler <= 2.3.9 Allows Remote Exploits

Publication date: 2026-03-25

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Jonathan Daggerhart Widget Wrangler widget-wrangler allows Code Injection.This issue affects Widget Wrangler: from n/a through <= 2.3.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25447
EUVD
EUVD-2026-15728
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
jonathan_daggerhart widget_wrangler to 2.3.9 (inc)
patchstack widget_wrangler From 2.3.0 (inc) to 2.3.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

There is no specific information provided about detection methods or commands to identify the CVE-2026-25447 vulnerability on your network or system.

Executive Summary

CVE-2026-25447 is a Code Injection vulnerability in the WordPress Widget Wrangler Plugin versions up to and including 2.3.9. It allows a malicious actor to execute arbitrary commands on the target website, potentially gaining backdoor access and full control over the site.

This vulnerability falls under the OWASP Top 10 category A3: Injection and requires author or developer-level privileges to exploit.

Impact Analysis

Exploitation of this vulnerability can lead to remote code execution on your website, allowing attackers to gain full control over the site.

  • Attackers can execute arbitrary commands.
  • Potential backdoor access to the website.
  • Complete compromise of website integrity and availability.
Mitigation Strategies

To mitigate the CVE-2026-25447 vulnerability in the Widget Wrangler plugin, users should apply the mitigation rule issued by Patchstack that can block attacks exploiting this vulnerability until an official patch is released.

Users are strongly advised to update the affected plugin as soon as a patch becomes available.

Alternatively, seek assistance from your hosting provider or web developer to help mitigate the risk.

Compliance Impact

The CVE-2026-25447 vulnerability allows remote code execution, which can lead to unauthorized access and control over the affected website. Such a compromise can result in exposure or manipulation of sensitive personal data, potentially violating data protection regulations like GDPR and HIPAA.

Because this vulnerability falls under the OWASP Top 10 category A3: Injection, it represents a significant security risk that organizations must address to maintain compliance with common security standards and regulations.

Failure to mitigate or patch this vulnerability could lead to breaches that violate regulatory requirements for protecting personal and sensitive information, thereby impacting compliance with standards such as GDPR and HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25447. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart