<0.1% probability · 19.9th percentile — 2026-05-12
Affected versions
Widget Options plugin for WordPress, all versions <= 4.2.2
Summary
This vulnerability allows authenticated attackers with Contributor-level access or higher to execute arbitrary code on the server. The plugin uses unsafe eval() on user-supplied Display Logic expressions, with an insufficient blocklist that can be easily bypassed. The issue was only partially patched in version 4.2.0 and remains exploitable up to 4.2.2.
Remediation
Update the Widget Options plugin to the latest fully patched version immediately. Disable the plugin if you are running an unpatched version and a fix is not available. Restrict permissions for low-privilege contributor accounts to limit the attack surface.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.