CVE-2026-2052
Deferred Deferred - Pending Action
Remote Code Execution in Widget Options WordPress Plugin

Publication date: 2026-05-02

Last updated on: 2026-05-05

Assigner: Wordfence

Description
The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.2 via the Display Logic feature. This is due to the plugin using eval() on user-supplied Display Logic expressions with an insufficient blocklist/allowlist that can be bypassed using array_map with string concatenation, combined with a lack of authorization enforcement on the extended_widget_opts_block attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. The vulnerability was partially patched in version 4.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-02
Last Modified
2026-05-05
Generated
2026-05-07
AI Q&A
2026-05-02
EPSS Evaluated
2026-05-05
NVD
CVE-2026-2052
EUVD
EUVD-2026-26754
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
widget_options widget_options to 4.2.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability exists in the Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin for WordPress, affecting all versions up to and including 4.2.2. It allows Remote Code Execution through the Display Logic feature because the plugin uses the eval() function on user-supplied expressions without sufficient filtering. Attackers with Contributor-level access or higher can bypass the weak blocklist/allowlist by using array_map with string concatenation, and due to a lack of authorization enforcement on a specific attribute, they can execute arbitrary code on the server.


How can this vulnerability impact me? :

This vulnerability can have severe impacts as it allows authenticated users with relatively low privileges (Contributor-level) to execute arbitrary code on the server hosting the WordPress site. This can lead to full compromise of the server, including data theft, site defacement, installation of malware, or further attacks on the network.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin to a version later than 4.2.2, as all versions up to and including 4.2.2 are vulnerable.

Note that the vulnerability was partially patched in version 4.2.0, but a full fix requires updating beyond 4.2.2.

Additionally, restrict Contributor-level access and above to trusted users only, as the vulnerability requires authenticated users with at least Contributor privileges.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart