Description
Missing Authorization vulnerability in Marketing Fire Widget Options widget-options allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Widget Options: from n/a through <= 4.0.8.
Published: 2025-01-21
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw that permits users to dismiss or manipulate widget notices without proper permission checks. By exploiting this weakness, an attacker could hide or alter notifications that might otherwise alert site operators to security issues, thereby reducing visibility into the site’s state and potentially enabling further unauthorized actions or denial of service.

Affected Systems

This issue affects the Marketing Fire Widget Options WordPress plugin for all releases from the earliest available version up through 4.0.8. WordPress sites running any of these plugin versions are susceptible.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact, while the EPSS score of less than 1% suggests that widespread exploitation is low and the flaw is not listed in CISA KEV. The likely attack vector is via the web interface, where any authenticated user with access to the WordPress backend could trigger the notice dismissal. Because the attack does not require elevated privileges beyond normal authenticated access, the flaw can be leveraged by users with standard site roles, increasing its practical exploitability within administrative contexts.

Generated by OpenCVE AI on May 1, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Widget Options plugin to a version newer than 4.0.8
  • If an immediate upgrade is not possible, restrict access to the plugin’s settings page to administrators only, ensuring that only trusted users can dismiss notices
  • As a temporary workaround, deactivate or uninstall the Widget Options plugin to prevent exploitation until a patched version is available

Generated by OpenCVE AI on May 1, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2943 Missing Authorization vulnerability in Widget Options Team Widget Options allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Widget Options: from n/a through 4.0.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Widget Options Team Widget Options allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Widget Options: from n/a through 4.0.8. Missing Authorization vulnerability in Marketing Fire Widget Options widget-options allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Widget Options: from n/a through <= 4.0.8.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Tue, 21 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Jan 2025 17:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Widget Options Team Widget Options allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Widget Options: from n/a through 4.0.8.
Title WordPress Widget Options plugin <= 4.0.8 - Broken Access Control to Notice Dimissal vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:05.846Z

Reserved: 2025-01-07T21:03:44.260Z

Link: CVE-2025-22722

cve-icon Vulnrichment

Updated: 2025-01-21T18:35:44.805Z

cve-icon NVD

Status : Deferred

Published: 2025-01-21T18:15:16.057

Modified: 2026-04-23T15:23:29.743

Link: CVE-2025-22722

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T20:00:13Z

Weaknesses