CVE-2026-2052: RCE in Widget Options for Gutenberg & Classic Widgets
Platform
wordpress
Component
widget-options
Fixed in
4.2.3
CVE-2026-2052 is a Remote Code Execution (RCE) vulnerability affecting the Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin for WordPress. This vulnerability allows authenticated attackers, even those with limited Contributor-level access, to execute arbitrary code on the server. The vulnerability exists in versions up to 4.2.2 and has been resolved in version 4.2.3, which is now available.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
The core of the vulnerability lies in the plugin's use of eval() on user-supplied Display Logic expressions within the Display Logic feature. The plugin attempts to mitigate this risk with a blocklist, but it can be bypassed using array_map combined with string concatenation. This allows an attacker to inject malicious code that will be executed by the server. Successful exploitation grants the attacker complete control over the affected WordPress instance, enabling them to modify files, install malware, steal sensitive data, or even pivot to other systems on the network. The low access requirement (Contributor level) significantly broadens the potential attack surface.
Exploitation Context
CVE-2026-2052 was published on May 2, 2026. The EPSS score is currently pending evaluation, but the RCE nature and relatively low access requirement suggest a potential for medium to high probability of exploitation. Public proof-of-concept (POC) code is likely to emerge, increasing the risk. Monitor security advisories from WordPress and related security communities for updates and potential active campaigns targeting this vulnerability.
Threat Intelligence
Exploit Status
EPSS
0.06% (20% percentile)
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- Low — any valid user account is sufficient. Basic authenticated access required.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Weakness Classification (CWE)
Timeline
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation is to immediately upgrade the Widget Options plugin to version 4.2.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the 'Display Logic' feature within the plugin's settings. While not a complete solution, this will prevent new exploitation attempts. Web Application Firewalls (WAFs) configured to detect and block eval() calls, particularly those involving array_map and string concatenation, can provide an additional layer of defense. Monitor WordPress logs for suspicious activity, specifically looking for unusual PHP errors or attempts to execute arbitrary code.
How to fix
Update to version 4.2.3, or a newer patched version
Frequently asked questions
What is CVE-2026-2052 — RCE in Widget Options for Gutenberg & Classic Widgets?
CVE-2026-2052 is a Remote Code Execution vulnerability in the Widget Options plugin for WordPress, allowing attackers to execute arbitrary code via a bypass of the eval() function's intended security measures.
Am I affected by CVE-2026-2052 in Widget Options for Gutenberg & Classic Widgets?
You are affected if you are using the Widget Options plugin for WordPress in versions 4.2.2 or earlier. Check your plugin version immediately.
How do I fix CVE-2026-2052 in Widget Options for Gutenberg & Classic Widgets?
Upgrade the Widget Options plugin to version 4.2.3 or later. If immediate upgrade is not possible, temporarily disable the 'Display Logic' feature.
Is CVE-2026-2052 being actively exploited?
While no active campaigns are currently confirmed, the RCE nature and ease of exploitation suggest a high likelihood of exploitation attempts in the near future.
Where can I find the official Widget Options advisory for CVE-2026-2052?
Refer to the official Widget Options plugin website and WordPress security announcements for the latest advisory and updates: [https://wordpress.org/plugins/widget-options/](https://wordpress.org/plugins/widget-options/)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Scan your WordPress project now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...