Plateforme
wordpress
Composant
widget-wrangler
Corrigé dans
2.4.0
CVE-2026-25447 describes a Remote Code Execution (RCE) vulnerability within the Widget Wrangler WordPress plugin. This flaw allows attackers to inject arbitrary code, potentially leading to complete compromise of affected WordPress installations. The vulnerability impacts versions 0.0.0 through 2.3.9, and a fix is available in version 2.4.0.
The impact of this RCE vulnerability is severe. A successful exploit allows an attacker to execute arbitrary code on the server hosting the WordPress site, effectively granting them complete control. This could involve data theft, modification of website content, installation of malware, or even using the compromised server as a launchpad for further attacks. Given the widespread use of WordPress and the plugin's functionality, the potential blast radius is significant, impacting numerous websites and their users. The ability to execute arbitrary code bypasses standard security measures and poses a critical risk to data integrity and confidentiality.
CVE-2026-25447 was publicly disclosed on 2026-03-25. The vulnerability's CRITICAL CVSS score indicates a high probability of exploitation. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of widespread attacks. The vulnerability is not currently listed on CISA KEV, but its severity warrants close monitoring.
WordPress websites utilizing the Widget Wrangler plugin, particularly those running older, unpatched versions (0.0.0–2.3.9), are at significant risk. Shared hosting environments where multiple websites share the same server are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "widget-wrangler" /var/www/html/wp-content/plugins/
wp plugin list | grep widget-wrangler• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/widget-wrangler/• wordpress / composer / npm:
wp plugin update widget-wrangler --version=2.4.0disclosure
Statut de l'Exploit
EPSS
0.06% (percentile 18%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-25447 is to immediately upgrade the Widget Wrangler plugin to version 2.4.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. While a direct WAF rule is difficult to implement without specific code patterns, a general rule blocking suspicious code injection attempts targeting the plugin's endpoints might offer limited protection. Monitor WordPress logs for unusual activity or code execution attempts related to the plugin.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-25447 is a critical RCE vulnerability in the Widget Wrangler WordPress plugin, allowing attackers to execute arbitrary code on vulnerable systems.
You are affected if you are using Widget Wrangler versions 0.0.0 through 2.3.9. Immediately upgrade to 2.4.0 or later.
Upgrade the Widget Wrangler plugin to version 2.4.0 or later. If immediate upgrade is not possible, temporarily disable the plugin.
While no active exploitation has been confirmed, the CRITICAL severity and public disclosure suggest a high likelihood of exploitation.
Refer to the Widget Wrangler project's official website or WordPress plugin repository for the latest advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.