The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin for WordPress contains a flaw that allows an authenticated user with at least Contributor permissions to run arbitrary PHP code on the server. The vulnerability arises because the plugin evaluates user‑supplied Display Logic expressions with eval() without proper input validation. An attacker can craft an expression that bypasses the blocked directives using array_map and string concatenation, thereby triggering eval. This gives the attacker full control over the WordPress installation, enabling data theft, site defacement, or further compromise.

Marketing Fire, LLC's Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin is affected in all releases up to and including version 4.2.2. The problem was partially addressed in 4.2.0, but a complete fix is only available in later releases. Administrators should check their installed version and apply the latest update when available.

The CVSS score of 8.8 indicates high severity. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog. The most likely attack path requires an authenticated user with Contributor or higher privileges. Since the flaw exploits eval() on user‑supplied data and bypasses an authorization check, the risk is significant for any site that permits contributors to configure widget display logic. An exploit would allow code execution with the permissions of the WordPress process, potentially leading to full site compromise.