A critical Remote Code Execution (RCE) vulnerability (CVE-2024-8672) has been identified in the Widget Options – The #1 WordPress Widget & Block Control Plugin, which has over 100,000 active installations globally. The vulnerability allows users with contributor privileges or higher to execute arbitrary code on affected WordPress sites. The widespread use of this plugin across various websites significantly increases the risk of exploitation, with potential compromises to sensitive data and system integrity.
| Product | wp-query-console |
| Date | 2024-12-02 10:00:25 |
| Information |
|
Technical Summary
CVE-2024-8672 affects all versions of the Widget Options plugin up to version 4.0.7, exploiting the plugin’s display logic functionality. The issue stems from the improper handling of user-supplied input, which is passed to the eval() function without adequate sanitization or role-based restrictions.
Key details:
Exploitation requirements: The attacker must have at least contributor privileges. Attack method: By injecting malicious code into the display logic settings, the attacker can execute arbitrary PHP code on the server, leading to a full site compromise. Vendor response: The vendor released a patch in version 4.0.8, but it does not include sufficient hardening measures, such as restricting execution to trusted roles or defining an allowlist of permitted functions, thus leaving some residual risks.
This vulnerability is classified as Critical with a CVSS score of 9.9.
Affected versions:
- Widget Options plugin versions 4.0.7 and earlier.
Recommendations
Update the Plugin:
Update to version 4.0.8 or later to apply the vendor’s fix.Verify User Roles:
Review and limit contributor privileges to prevent unnecessary access to display logic settings.
[Callforaction-THREAT-Footer]
