CVE-2026-2052 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: May 2, 2026
Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets - Remote Code Execution
Overview
Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets for WordPress <= 4.2.2 contains a remote code execution caused by unsafe use of eval() on user-supplied Display Logic expressions and lack of authorization on extended_widget_opts_block, letting authenticated attackers with Contributor-level access execute code on the server, exploit requires Contributor-level or higher privileges.
Severity & Score
Impact
Authenticated attackers with Contributor-level access can execute arbitrary code on the server, potentially leading to full server compromise.
Mitigation
Update to a version later than 4.2.2 or the latest available version.
References
- https://plugins.trac.wordpress.org/changeset/3481338/
- https://plugins.trac.wordpress.org/changeset/3514411/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/68023557-fc92-4cf6-96b4-405ff5a5fd5a?source=cve
- https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/extras.php#L495
- https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/extras.php#L534
- https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/widgets/gutenberg/gutenberg-toolbar.php#L843
Related Resources
Details
- CVE ID
- CVE-2026-2052
- Severity
- High
- CVSS Score
- 8.8
- Type
- command_injection
- Status
- new
CWE
- CWE-94
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H