CVE-2026-2052:

Remote Code Execution vulnerability in the Widget Options WordPress plugin (versions up to and including 4.2.2) via an insufficiently restricted `eval()` call in the Display Logic feature, exploitable by Contributor-level authenticated users.

Score
A numerical rating that indicates how dangerous this vulnerability is.

8.8High

Published Date:May 2, 2026
CISA KEV Date:*No Data*
Industries Affected:20

Threat Predictions

EPSS Score:0.1
EPSS Percentile:18%

Exploitability

Score:2.8
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:LOW
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:5.9
Confidentiality Impact:HIGH
Integrity Impact:HIGH
Availability Impact:HIGH

Description Preview

Overview

CVE-2026-2052 affects the Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets WordPress plugin through version 4.2.2. The flaw stems from unsafe use of PHP's `eval()` function on user-controlled Display Logic expressions, paired with an inadequate blocklist that can be circumvented using `array_map` with string concatenation. Because authorization checks on the `extended_widget_opts_block` attribute are absent, any authenticated user at the Contributor level or above can craft and submit malicious expressions that result in arbitrary server-side PHP code execution. With a CVSS v3.1 score of 8.8 (HIGH), this vulnerability poses a severe risk to WordPress sites running the affected plugin versions, potentially enabling full server compromise including data theft, file manipulation, and service disruption.

Remediation

WordPress site administrators running the Widget Options plugin should immediately update to the latest available version beyond 4.2.2, which contains the complete fix for this vulnerability. Since the partial patch in version 4.2.0 was insufficient to fully remediate the issue, ensuring the plugin is updated to the most current release is essential. If an immediate update is not possible, administrators should consider deactivating the plugin or restricting Contributor-level and above user permissions to limit exposure. Additionally, reviewing site user roles and minimizing the number of users with Contributor or higher privileges can reduce the attack surface. Implementing a Web Application Firewall (WAF) with rules targeting `eval()`-based injection attempts may provide supplementary protection in the interim.