Overview
- Description
- The Widget Options – The #1 WordPress Widget & Block Control Plugin plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.0.7 via the display logic functionality that extends several page builders. This is due to the plugin allowing users to supply input that will be passed through eval() without any filtering or capability checks. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server. Special note: We suggested the vendor implement an allowlist of functions and limit the ability to execute commands to just administrators, however, they did not take our advice. We are considering this patched, however, we believe it could still be further hardened and there may be residual risk with how the issue is currently patched.
- Source
- security@wordfence.com
- NVD status
- Received
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 9.9
- Impact score
- 6
- Exploitability score
- 3.1
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
- Severity
- CRITICAL
Weaknesses
- security@wordfence.com
- CWE-94
Social media
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
1
#exploit 1. CVE-2024-49039: Windows Task Scheduler EoP https://t.co/bnmDNN2g0C 2. CVE-2024-44308: Apple Safari JavaScriptCore RCE https://t.co/Dtori8bcJ7 3. CVE-2024-8672: Authenticated Contributor RCE in Widget Options Plugin https://t.co/DHCWp89DtD
@ksg93rd
4 Dec 2024
126 Impressions
4 Retweets
9 Likes
3 Bookmarks
0 Replies
0 Quotes
CVE-2024-8672 (CVSS:9.9, CRITICAL) is Awaiting Analysis. The Widget Options – The #1 WordPress Widget & Block Control Plugin plugin for WordPress is vulnerable to Remote Code Ex..https://t.co/bouqQaIilZ #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre
@cracbot
3 Dec 2024
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Reproduced CVE-2024-8672: Authenticated RCE in Widget Options Plugin (WordPress). PoC and details: https://t.co/ZVUOmqCQHU
@Chocapikk_
2 Dec 2024
5953 Impressions
24 Retweets
98 Likes
35 Bookmarks
0 Replies
0 Quotes
CVE-2024-8672: Code Injection in Widget Options WP Plugin, 9.9 rating 🔥 Vuln allows an attacker to enter data that is passed without proper filtering. Potential RCE. Search at https://t.co/hv7QKSqxTR: 👉 Link: https://t.co/bNKRZCiKoX #cybersecurity #vulnerability_map https://
@Netlas_io
2 Dec 2024
92 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚨🚨CVE-2024-8672 (CVSS: 9.9) : Critical Flaw in Widget Options Plugin Threatens 100,000+ Websites ⚠️This flaw posed a significant threat to websites utilizing the plugin, potentially allowing malicious actors with contributor-level access or above to execute arbitrary code on… h
@zoomeye_team
2 Dec 2024
567 Impressions
2 Retweets
7 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ CVE-2024-8672: Critical Flaw in Widget Options Plugin (WordPress) - Severity: CVSSv3 score of 9.9 (Critical). - Affected: 100,000+ websites using the plugin. - Patched version: 4.0.8 - all users must update immediately. The Flaw: - Feature affected: "Display Logic"…
@Ransom_DB
1 Dec 2024
125 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
⚠️ CVE-2024-8672: Critical Flaw in Widget Options Plugin - Severity: CVSSv3 score of 9.9 (Critical). - Affected: 100,000+ websites using the plugin. - Patched version: 4.0.8 - all users must update immediately. The Flaw: - Feature affected: "Display Logic"… https://t.
@Ransom_DB
1 Dec 2024
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-8672 (CVSS 9.9): Critical Flaw in Widget Options Plugin Threatens 100,000+ Websites https://t.co/si4ZLaZnLB
@Dinosn
1 Dec 2024
2045 Impressions
4 Retweets
11 Likes
2 Bookmarks
0 Replies
0 Quotes
CVE-2024-8672 (CVSS 9.9): Critical Flaw in Widget Options Plugin Threatens 100,000+ Websites This flaw posed a significant threat to websites utilizing the plugin, potentially allowing malicious actors to execute arbitrary code on the server. https://t.co/xqnghFXuQq
@the_yellow_fall
1 Dec 2024
253 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
🗣 CVE-2024-8672 (CVSS 9.9): Critical Flaw in Widget Options Plugin Threatens 100,000+ Websites https://t.co/76IAUoeVX5
@fridaysecurity
1 Dec 2024
54 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
CVE-2024-8672 The Widget Options – The #1 WordPress Widget & Block Control Plugin plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.… https://t.co/KReKcwkCA1
@CVEnew
28 Nov 2024
370 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2024-8672: CRITICAL] The WordPress Widget Options plugin is vulnerable to Remote Code Execution up to version 4.0.7 via display logic functionality, allowing attackers to execute code on the server.#cybersecurity,#vulnerability https://t.co/7jwYwVPm4D https://t.co/BgwKF1yLzC
@CveFindCom
28 Nov 2024
38 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes