cleantalk
Vulnerabilities and Security Researches

Widget Options – The #1 WordPress Widget & Block Control Plugin, CVE-2026-2052

CVE, Research URL

CVE-2026-2052

Home page URL

Security reports for Widget Options – The #1 WordPress Widget & Block Control Plugin

Application

Widget Options – The #1 WordPress Widget & Block Control Plugin

Published on
May 02, 2026
Research Description
The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.2 via the Display Logic feature. This is due to the plugin using eval() on user-supplied Display Logic expressions with an insufficient blocklist/allowlist that can be bypassed using array_map with string concatenation, combined with a lack of authorization enforcement on the extended_widget_opts_block attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. The vulnerability was partially patched in version 4.2.0.
Affected versions
max 4.2.3.
Status
vulnerable
Previous vulnerability researches
Payment Gateway for ACBA BANK (CVE-2024-13362) , May 03, 2026
New vulnerability
KiviCare – Clinic & Patient Management System (EHR) (CVE-2026-40792) , May 03, 2026
Posts List Designer by Category – List Category Posts Or Recent Posts (CVE-2024-13362) , May 03, 2026
XT Variation Swatches for WooCommerce (CVE-2024-13362) , May 03, 2026
Dynamic Copyright Year (CVE-2024-13362) , May 03, 2026
rtMedia for WordPress, BuddyPress and bbPress (CVE-2026-40773) , May 03, 2026