CRITICALCVE-2026-25447CVSS 9.1

WordPress Widget Wrangler plugin <= 2.3.9 - Remote Code Execution (RCE) vulnerability

Q: What is CVE-2026-25447 — Remote Code Execution in Widget Wrangler?

CVE-2026-25447 is a critical RCE vulnerability in the Widget Wrangler WordPress plugin, allowing attackers to execute arbitrary code on vulnerable systems.

Q: Am I affected by CVE-2026-25447 in Widget Wrangler?

You are affected if you are using Widget Wrangler versions 0.0.0 through 2.3.9. Immediately upgrade to 2.4.0 or later.

Q: How do I fix CVE-2026-25447 in Widget Wrangler?

Upgrade the Widget Wrangler plugin to version 2.4.0 or later. If immediate upgrade is not possible, temporarily disable the plugin.

Q: Is CVE-2026-25447 being actively exploited?

While no active exploitation has been confirmed, the CRITICAL severity and public disclosure suggest a high likelihood of exploitation.

Q: Where can I find the official Widget Wrangler advisory for CVE-2026-25447?

Refer to the Widget Wrangler project's official website or WordPress plugin repository for the latest advisory and update information.

翻译中…

平台

wordpress

组件

widget-wrangler

修复版本

2.4.0

AI Confidence: highNVDEPSS 0.1%已审阅: 2026年5月

在NVD查看

保存

正在翻译为您的语言…

CVE-2026-25447 describes a Remote Code Execution (RCE) vulnerability within the Widget Wrangler WordPress plugin. This flaw allows attackers to inject arbitrary code, potentially leading to complete compromise of affected WordPress installations. The vulnerability impacts versions 0.0.0 through 2.3.9, and a fix is available in version 2.4.0.

WordPress

检测此 CVE 是否影响你的项目

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描

影响与攻击场景翻译中…

The impact of this RCE vulnerability is severe. A successful exploit allows an attacker to execute arbitrary code on the server hosting the WordPress site, effectively granting them complete control. This could involve data theft, modification of website content, installation of malware, or even using the compromised server as a launchpad for further attacks. Given the widespread use of WordPress and the plugin's functionality, the potential blast radius is significant, impacting numerous websites and their users. The ability to execute arbitrary code bypasses standard security measures and poses a critical risk to data integrity and confidentiality.

利用背景翻译中…

CVE-2026-25447 was publicly disclosed on 2026-03-25. The vulnerability's CRITICAL CVSS score indicates a high probability of exploitation. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of widespread attacks. The vulnerability is not currently listed on CISA KEV, but its severity warrants close monitoring.

哪些人处于风险中翻译中…

WordPress websites utilizing the Widget Wrangler plugin, particularly those running older, unpatched versions (0.0.0–2.3.9), are at significant risk. Shared hosting environments where multiple websites share the same server are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others.

检测步骤翻译中…

• wordpress / composer / npm:

grep -r "widget-wrangler" /var/www/html/wp-content/plugins/
wp plugin list | grep widget-wrangler

• generic web:

curl -I https://your-wordpress-site.com/wp-content/plugins/widget-wrangler/

• wordpress / composer / npm:

wp plugin update widget-wrangler --version=2.4.0

攻击时间线

2026-03-25Disclosure
disclosure

威胁情报

漏洞利用状态

概念验证未知

CISA KEVNO

互联网暴露高

报告1 份威胁报告

EPSS

0.06% (18% 百分位)

CISA SSVC

利用情况none

可自动化no

技术影响total

CVSS 向量

这些指标意味着什么？

Attack Vector: 网络 — 可通过互联网远程利用，无需物理或本地访问。攻击面最大。
Attack Complexity: 低 — 无需特殊条件，可以稳定地利用漏洞。
Privileges Required: 高 — 需要管理员或特权账户。
User Interaction: 无 — 攻击自动且无声，受害者无需任何操作。
Scope: 已改变 — 攻击可以超出脆弱组件，影响其他系统。
Confidentiality: 高 — 完全丧失机密性，攻击者可读取所有数据。
Integrity: 高 — 攻击者可写入、修改或删除任何数据。
Availability: 高 — 完全崩溃或资源耗尽，完全拒绝服务。

受影响的软件

组件widget-wrangler

供应商wordfence

影响范围修复版本

0.0.0 – 2.3.92.4.0

软件包信息

活跃安装数: 200小众
插件评分: 5.0
兼容至: 5.5.18
需要PHP版本: 5.3+

主页

弱点分类 (CWE)

CWE-94

时间线

已保留2026-02-02
发布日期2026-03-25
修改日期2026-04-28
EPSS 更新日期2026-04-02

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2026-25447 is to immediately upgrade the Widget Wrangler plugin to version 2.4.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. While a direct WAF rule is difficult to implement without specific code patterns, a general rule blocking suspicious code injection attempts targeting the plugin's endpoints might offer limited protection. Monitor WordPress logs for unusual activity or code execution attempts related to the plugin.

修复方法翻译中…

No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2026-25447 — Remote Code Execution in Widget Wrangler?

CVE-2026-25447 is a critical RCE vulnerability in the Widget Wrangler WordPress plugin, allowing attackers to execute arbitrary code on vulnerable systems.

Am I affected by CVE-2026-25447 in Widget Wrangler?

You are affected if you are using Widget Wrangler versions 0.0.0 through 2.3.9. Immediately upgrade to 2.4.0 or later.

How do I fix CVE-2026-25447 in Widget Wrangler?

Upgrade the Widget Wrangler plugin to version 2.4.0 or later. If immediate upgrade is not possible, temporarily disable the plugin.

Is CVE-2026-25447 being actively exploited?

While no active exploitation has been confirmed, the CRITICAL severity and public disclosure suggest a high likelihood of exploitation.

Where can I find the official Widget Wrangler advisory for CVE-2026-25447?

Refer to the Widget Wrangler project's official website or WordPress plugin repository for the latest advisory and update information.

你的项目受影响吗?

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE