CVE-2026-27984
Received Received - Intake
Code Injection in Widget Options ≀ 4.1.3 Enables Remote Exploits

Publication date: 2026-03-05

Last updated on: 2026-03-06

Assigner: Patchstack

Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Marketing Fire Widget Options widget-options allows Code Injection.This issue affects Widget Options: from n/a through <= 4.1.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-06
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27984
EUVD
EUVD-2026-9654
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
patchstack widget_options to 4.1.3 (inc)
marketing_fire widget_options to 4.1.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27984 is a high-severity Remote Code Execution (RCE) vulnerability in the WordPress Widget Options Plugin versions up to and including 4.1.3.

This vulnerability is a type of Code Injection classified under OWASP Top 10 A3: Injection, which allows an attacker to execute arbitrary commands on the target website.

Exploitation requires a privileged user role, such as Contributor or Developer, to perform actions like clicking a malicious link, visiting a crafted page, or submitting a form.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can allow an attacker to gain backdoor access and full control over the affected website.'}, {'type': 'paragraph', 'content': "Because it enables Remote Code Execution, the attacker can execute arbitrary commands, potentially compromising the website's integrity, confidentiality, and availability."}, {'type': 'paragraph', 'content': 'The vulnerability has a critical CVSS score of 9, indicating a high likelihood of exploitation and severe impact.'}] [1]

Compliance Impact

I don't know

Detection Guidance

CVE-2026-27984 is a Remote Code Execution vulnerability in the WordPress Widget Options Plugin up to version 4.1.3. Detection typically involves monitoring for suspicious activities such as unexpected execution of commands or unusual HTTP requests targeting the widget-options plugin.

Since exploitation requires a privileged user role performing actions like clicking malicious links or submitting crafted forms, monitoring user activities and HTTP request logs for unusual patterns related to widget-options is recommended.

No specific detection commands are provided in the available resources.

Mitigation Strategies

There is no official patch available for CVE-2026-27984 at this time.

Patchstack has issued a mitigation rule to block attacks targeting this vulnerability, which users are strongly advised to apply immediately to protect their websites.

Additionally, restricting privileged user roles from performing risky actions and monitoring for suspicious activity can help reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27984. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart