Description
The Widget Options – The #1 WordPress Widget & Block Control Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple functions in all versions up to, and including, 4.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-10-25
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (CWE‑79)
Action: Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the Widget Options plugin due to insufficient input sanitization and output escaping. Authenticated users with Contributor level or higher can inject arbitrary JavaScript into pages, which executes whenever a visitor loads the page. This can lead to session hijacking, defacement, and malicious redirection, compromising confidentiality, integrity, and availability of site data for all users. The weakness is identified as CWE‑79.

Affected Systems

WordPress sites that have installed the Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin, version 4.1.2 or earlier. The vendor/product is marketingfire:Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets. No other vendors/products are impacted according to the CNA data. The vulnerability affects all WordPress installations that import or use widget settings from the affected plugin.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, while the EPSS score of less than 1% indicates a very low probability of widespread exploitation at this time. The weakness is not listed in the CISA KEV catalog. Exploitation requires authenticated access at Contributor level or higher, which most sites grant to registered authors or administrators. The attack vector can be through the plugin’s admin interface or any page where widget settings are stored and rendered. Because the flaw is stored, the malicious payload persists until the content is removed or the plugin is updated.

Generated by OpenCVE AI on April 22, 2026 at 12:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Widget Options plugin update (4.1.3 or newer).
  • If an update is not available, disable or uninstall the Widget Options plugin to eliminate the vulnerable code.
  • Configure a strict Content Security Policy that disallows inline scripts and self‑origin scripts except those explicitly allowed, and monitor the site for any XSS attempts.

Generated by OpenCVE AI on April 22, 2026 at 12:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Oct 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Widget Options – The #1 WordPress Widget & Block Control Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple functions in all versions up to, and including, 4.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Widget Options – The #1 WordPress Widget & Block Control Plugin <= 4.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:03:44.738Z

Reserved: 2025-09-16T19:56:41.305Z

Link: CVE-2025-10580

cve-icon Vulnrichment

Updated: 2025-10-27T15:45:17.892Z

cve-icon NVD

Status : Deferred

Published: 2025-10-25T07:15:39.587

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10580

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:00:09Z

Weaknesses