Description
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Marketing Fire Widget Options widget-options allows OS Command Injection.This issue affects Widget Options: from n/a through <= 4.1.0.
Published: 2025-02-14
Score: 9.9 Critical
EPSS: 1.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress sites running the Marketing Fire Widget Options plugin version 4.1.0 or earlier contain an improper neutralization of special elements in a command execution context. The plugin concatenates user‑controlled data into operating‑system commands without proper sanitization, enabling arbitrary shell command execution. An attacker who can supply input to the widget options is able to run any command on the server, leading to full compromise of the affected site. The weakness is classified as CWE‑77.

Affected Systems

Any WordPress installation that has the Marketing Fire Widget Options plugin, from its initial release up to and including version 4.1.0, is affected. Sites using this plugin—regardless of whether the plugin is activated on the front end or only accessed via the WordPress admin—could be compromised if attackers reach the settings page used by the plugin.

Risk and Exploitability

The CVSS score of 9.9 places this vulnerability in the “Critical” range. However, the EPSS score is < 1 %, indicating a low probability of widespread exploitation in the short term. Although it is not listed in CISA’s KEV catalog, the high severity and the nature of the flaw—arbitrary OS command injection—mean that an attacker who can interact with the plugin’s input fields could achieve server‑level control. The likely attack vector is via the WordPress admin interface, where the widget options are managed, but the flaw could also be exercised through any public‑facing forms that the plugin adds. Given the potential impact, administrators should treat this as a priority vulnerability.

Generated by OpenCVE AI on May 1, 2026 at 16:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Marketing Fire Widget Options plugin to the latest version that is higher than 4.1.0, which contains the necessary input sanitization.
  • If the plugin cannot be upgraded immediately, deactivate or uninstall it to eliminate the injection surface until a fixed version is available.
  • Enable PHP and server‑level logging to audit command execution and monitor for anomalous activity; review logs for signs of unexpected shell access or command usage.

Generated by OpenCVE AI on May 1, 2026 at 16:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2895 Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in MarketingFire Widget Options allows OS Command Injection.This issue affects Widget Options: from n/a through 4.1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in MarketingFire Widget Options allows OS Command Injection.This issue affects Widget Options: from n/a through 4.1.0. Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Marketing Fire Widget Options widget-options allows OS Command Injection.This issue affects Widget Options: from n/a through <= 4.1.0.
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00259}

 epss

{'score': 0.00279}

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0044}

 epss

{'score': 0.00259}

Fri, 14 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 14 Feb 2025 07:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in MarketingFire Widget Options allows OS Command Injection.This issue affects Widget Options: from n/a through 4.1.0.
Title WordPress Widget Options Plugin <= 4.1.0 - Arbitrary Code Execution vulnerability
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:02.370Z

Reserved: 2025-01-07T21:02:24.869Z

Link: CVE-2025-22630

cve-icon Vulnrichment

Updated: 2025-02-14T15:36:21.733Z

cve-icon NVD

Status : Deferred

Published: 2025-02-14T07:15:32.750

Modified: 2026-04-23T15:23:17.620

Link: CVE-2025-22630

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T16:45:20Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')