Platform
wordpress
Component
widget-wrangler
Fixed in
2.4.0
CVE-2026-25447 describes a Remote Code Execution (RCE) vulnerability within the Widget Wrangler WordPress plugin. This flaw allows attackers to inject arbitrary code, potentially leading to complete compromise of affected WordPress installations. The vulnerability impacts versions 0.0.0 through 2.3.9, and a fix is available in version 2.4.0.
The impact of this RCE vulnerability is severe. A successful exploit allows an attacker to execute arbitrary code on the server hosting the WordPress site, effectively granting them complete control. This could involve data theft, modification of website content, installation of malware, or even using the compromised server as a launchpad for further attacks. Given the widespread use of WordPress and the plugin's functionality, the potential blast radius is significant, impacting numerous websites and their users. The ability to execute arbitrary code bypasses standard security measures and poses a critical risk to data integrity and confidentiality.
CVE-2026-25447 was publicly disclosed on 2026-03-25. The vulnerability's CRITICAL CVSS score indicates a high probability of exploitation. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of widespread attacks. The vulnerability is not currently listed on CISA KEV, but its severity warrants close monitoring.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-25447 is to immediately upgrade the Widget Wrangler plugin to version 2.4.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. While a direct WAF rule is difficult to implement without specific code patterns, a general rule blocking suspicious code injection attempts targeting the plugin's endpoints might offer limited protection. Monitor WordPress logs for unusual activity or code execution attempts related to the plugin.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25447 is a critical RCE vulnerability in the Widget Wrangler WordPress plugin, allowing attackers to execute arbitrary code on vulnerable systems.
You are affected if you are using Widget Wrangler versions 0.0.0 through 2.3.9. Immediately upgrade to 2.4.0 or later.
Upgrade the Widget Wrangler plugin to version 2.4.0 or later. If immediate upgrade is not possible, temporarily disable the plugin.
While no active exploitation has been confirmed, the CRITICAL severity and public disclosure suggest a high likelihood of exploitation.
Refer to the Widget Wrangler project's official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.