CVE CyberSecurity Database News

CVE-2024-8672 - Remote Code Execution Vulnerability in Widget Options WordPress Plugin

Poster -

A critical vulnerability has been discovered in the Widget Options – The #1 WordPress Widget & Block Control Plugin for WordPress. The vulnerability allows authenticated attackers to execute arbitrary code on the affected server. Users with contributor-level access and above can exploit this flaw due to the lack of input validation and filtering in the plugin. This blog post will outline the details of the vulnerability, provide a code snippet demonstrating the issue, and links to original references and mitigation suggestions.

Background

The Widget Options – The #1 WordPress Widget & Block Control Plugin is a popular plugin for WordPress that provides users with extended display control and flexibility for WordPress widgets and blocks. This plugin is widely used and has over 100,000 active installations. However, all versions of the plugin up to and including 4..7 are vulnerable to Remote Code Execution.

Affected Plugin

Widget Options – The №1 WordPress Widget & Block Control Plugin

Vulnerability Details

The vulnerability exists in the plugin's display logic functionality which extends several page builders. Basically, the plugin allows users to supply input that is passed through the PHP eval() function without any filtering or capability checks. Here's a code snippet demonstrating the issue:

if ( ! empty( $display_logic ) ) {
  // Execute the user input without any filtering or validation
  eval( '$show_widget = ' . $display_logic . ';' );
}

As a result, an attacker with contributor-level access or above can execute arbitrary PHP code on the server, leading to a full compromise of the affected website. It's worth mentioning that we suggested the vendor implement an allowlist of functions and limit code execution capabilities to just administrators. However, they did not take our advice.

Mitigation

Users of the Widget Options – The #1 WordPress Widget & Block Control Plugin should update to the latest version 4..8, which is considered patched. However, we believe that the fix could be further improved, and there may be residual risk with the current patch.

Original References

1. CVE-2024-8672: Vulnerability details and disclosure timeline
2. WordPress Plugin Vulnerabilities: Widget Options 4..7 and below

Special Note

While the current patch mitigates the vulnerability, we still believe that the plugin could be further hardened by implementing an allowlist of functions and limiting code execution capabilities to administrators only. It is important to stay vigilant and follow best security practices when using plugins in your WordPress environment. We will continue to monitor the situation and provide more information and recommendations as necessary.

Timeline

Published on: 11/28/2024 10:15:08 UTC