CVE-2019-12826

HIGH

Widget Logic < 5.10.2 - Cross-Site Request Forgery to Remote Code Execution via Widget Snippet Injection

Title source: llm
STIX 2.1

Description

A Cross-Site-Request-Forgery (CSRF) vulnerability in widget_logic.php in the 2by2host Widget Logic plugin before 5.10.2 for WordPress allows remote attackers to execute PHP code via snippets (that are attached to widgets and then eval'd to dynamically determine their visibility) by crafting a malicious POST request that tricks administrators into adding the code.

References (4)

Core 4
Core References
Exploit, Third Party Advisory x_refsource_misc
https://dannewitz.ninja/posts/widget-logic-csrf-to-rce
Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/9413
Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/9403

Scores

CVSS v3 8.8
EPSS 0.0111
EPSS Percentile 61.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (1)
wpchef/widget_logic < 5.10.2
Published Jul 01, 2019
Tracked Since Feb 18, 2026