CVE-2024-8672

CRITICAL

Widget Options WordPress Plugin <= 4.0.7 - Authenticated Remote Code Execution

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-8672. PoCs published by Chocapikk.

AI-analyzed exploit summary The repository provides a detailed writeup and PoC for CVE-2024-8672, an authenticated RCE vulnerability in the Widget Options WordPress plugin (versions 4.0.7 and earlier). It explains how the `widgetopts_safe_eval()` function allows Contributor-level users to execute arbitrary PHP code via crafted API requests.

Description

The Widget Options – The #1 WordPress Widget & Block Control Plugin plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.0.7 via the display logic functionality that extends several page builders. This is due to the plugin allowing users to supply input that will be passed through eval() without any filtering or capability checks. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server. Special note: We suggested the vendor implement an allowlist of functions and limit the ability to execute commands to just administrators, however, they did not take our advice. We are considering this patched, however, we believe it could still be further hardened and there may be residual risk with how the issue is currently patched.

Exploits (1)

nomisec WRITEUP 13 stars

by Chocapikk · poc

https://github.com/Chocapikk/CVE-2024-8672

View Code ZIP pw:eip

The repository provides a detailed writeup and PoC for CVE-2024-8672, an authenticated RCE vulnerability in the Widget Options WordPress plugin (versions 4.0.7 and earlier). It explains how the `widgetopts_safe_eval()` function allows Contributor-level users to execute arbitrary PHP code via crafted API requests.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Widget Options WordPress plugin <= 4.0.7

Auth required

Prerequisites: Valid WordPress Contributor account · Valid nonce for API requests

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Product

https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/pagebuilders/beaver/beaver.php#L825

Product

https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/pagebuilders/elementor/render.php#L379

Product

https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/widgets/gutenberg/gutenberg-toolbar.php#L718

Product

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3192921%40widget-options&new=3192921%40widget-options&sfp_email=&sfph_mail=

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/8d03af4d-a1f9-4c15-a62e-f4cdbcfc9af7?source=cve

Scores

CVSS v3 9.9

EPSS 0.4380

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (2)

marketingfire/Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets < 4.0.7

marketingfire/Widget Options – The #1 WordPress Widget & Block Control Plugin < 4.0.7

Published Nov 28, 2024

Tracked Since Feb 18, 2026