cleantalk
Vulnerabilities and Security Researches

Widget Options – The #1 WordPress Widget & Block Control Plugin, CVE-2025-10580

CVE, Research URL

CVE-2025-10580

Home page URL

Security reports for Widget Options – The #1 WordPress Widget & Block Control Plugin

Application

Widget Options – The #1 WordPress Widget & Block Control Plugin

Published on
Oct 25, 2025
Research Description
The Widget Options – The #1 WordPress Widget & Block Control Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple functions in all versions up to, and including, 4.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 4.1.3.
Status
vulnerable
Previous vulnerability researches
wpForo Forum (CVE-2019-19109) , Jun 06, 2024
wpForo Forum (CVE-2022-40205) , Jun 06, 2024
wpForo Forum (CVE-2021-24406) , Jun 06, 2024
wpForo Forum (CVE-2022-38144) , Jun 06, 2024
wpForo Forum (CVE-2019-19112) , Jun 06, 2024
New vulnerability
Likert Survey Master (CVE-2025-53426) , Nov 10, 2025
Uji Countdown (CVE-2025-52749) , Nov 10, 2025
Selling Commander for WooCommerce – connector plugin (CVE-2025-60243) , Nov 10, 2025
Image Gallery block – Create and display photo gallery/photo album. (CVE-2025-49394) , Nov 10, 2025
RioVizual – WordPress Gutenberg Table Blocks Plugin (CVE-2025-62932) , Nov 10, 2025