{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27984", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:12:49.962Z", "datePublished": "2026-03-05T05:54:03.700Z", "dateUpdated": "2026-04-28T16:44:29.910Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "widget-options", "product": "Widget Options", "vendor": "Marketing Fire", "versions": [{"changes": [{"at": "4.2.0", "status": "unaffected"}], "lessThanOrEqual": "4.1.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "mcdruid | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:06:12.872Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Marketing Fire Widget Options widget-options allows Code Injection.<p>This issue affects Widget Options: from n/a through <= 4.1.3.</p>"}], "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Marketing Fire Widget Options widget-options allows Code Injection.This issue affects Widget Options: from n/a through <= 4.1.3."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:03.568Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/widget-options/vulnerability/wordpress-widget-options-plugin-4-1-3-remote-code-execution-rce-vulnerability?_s_id=cve"}], "title": "WordPress Widget Options plugin <= 4.1.3 - Remote Code Execution (RCE) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T20:51:40.896790Z", "id": "CVE-2026-27984", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T16:44:29.910Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27984", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:12:49.962Z", "datePublished": "2026-03-05T05:54:03.700Z", "dateUpdated": "2026-04-28T16:44:29.910Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "widget-options", "product": "Widget Options", "vendor": "Marketing Fire", "versions": [{"changes": [{"at": "4.2.0", "status": "unaffected"}], "lessThanOrEqual": "4.1.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "mcdruid | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:06:12.872Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Marketing Fire Widget Options widget-options allows Code Injection.<p>This issue affects Widget Options: from n/a through <= 4.1.3.</p>"}], "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Marketing Fire Widget Options widget-options allows Code Injection.This issue affects Widget Options: from n/a through <= 4.1.3."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "Code Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:03.568Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/widget-options/vulnerability/wordpress-widget-options-plugin-4-1-3-remote-code-execution-rce-vulnerability?_s_id=cve"}], "title": "WordPress Widget Options plugin <= 4.1.3 - Remote Code Execution (RCE) vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27984", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-06T20:51:40.896790Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T20:50:26.343Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Marketing Fire Widget Options widget-options allows Code Injection.This issue affects Widget Options: from n/a through <= 4.1.3."}, {"lang": "es", "value": "Vulnerabilidad de control inadecuado de la generaci\u00f3n de c\u00f3digo ('Inyecci\u00f3n de C\u00f3digo') en Marketing Fire Widget Options widget-options permite la inyecci\u00f3n de c\u00f3digo. Este problema afecta a Widget Options: desde n/a hasta &lt;= 4.1.3."}], "id": "CVE-2026-27984", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:30.510", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/widget-options/vulnerability/wordpress-widget-options-plugin-4-1-3-remote-code-execution-rce-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.1.3]"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "Widget Options", "source": "cna", "vendor": "Marketing Fire"}, "product": "widget-options", "vendor": "marketingfire"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T05:07:05.392411+00:00", "value": {"mitigation_remediation": ["Upgrade the WordPress Widget Options plugin to a newer version than 4.1.3 if available.", "If the update is not yet available, disable or remove the Widget Options plugin entirely.", "Restrict access to the plugin\u2019s configuration settings to administrative users only to limit exposure."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts the Marketing Fire Widget Options plugin, commonly known as Widget Options. All releases from the original launch through version 4.1.3 are affected.", "description_and_impact": "The Widget Options plugin contains an improper control of code generation vulnerability that permits attackers to inject and execute arbitrary code, a type of code injection flaw identified as CWE\u201194. This can lead to full remote code execution on the web server, compromising confidentiality, integrity, and availability of the site and any data stored there.", "risk_and_exploitability": "The CVSS score of 9 indicates a critical severity level, yet the EPSS score of less than 1% suggests that exploitation has a low probability in the wild at this time. The flaw is not listed in the CISA KEV catalog. Attackers would likely exploit the flaw by sending crafted requests to the plugin\u2019s input fields, possibly via the plugin\u2019s front\u2011end or administrative interface; the attack vector is inferred to be remote through web traffic."}}}}, "created": "2026-03-06T15:11:56.308331+00:00", "updated": "2026-04-16T05:15:25.471594+00:00", "vendors": ["marketingfire", "marketingfire$PRODUCT$widget-options", "wordpress", "wordpress$PRODUCT$wordpress"]}