Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Marketing Fire Widget Options widget-options allows Code Injection.This issue affects Widget Options: from n/a through <= 4.1.3.
Published: 2026-03-05
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Widget Options plugin contains an improper control of code generation vulnerability that permits attackers to inject and execute arbitrary code, a type of code injection flaw identified as CWE‑94. This can lead to full remote code execution on the web server, compromising confidentiality, integrity, and availability of the site and any data stored there.

Affected Systems

The vulnerability impacts the Marketing Fire Widget Options plugin, commonly known as Widget Options. All releases from the original launch through version 4.1.3 are affected.

Risk and Exploitability

The CVSS score of 9 indicates a critical severity level, yet the EPSS score of less than 1% suggests that exploitation has a low probability in the wild at this time. The flaw is not listed in the CISA KEV catalog. Attackers would likely exploit the flaw by sending crafted requests to the plugin’s input fields, possibly via the plugin’s front‑end or administrative interface; the attack vector is inferred to be remote through web traffic.

Generated by OpenCVE AI on April 16, 2026 at 05:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress Widget Options plugin to a newer version than 4.1.3 if available.
  • If the update is not yet available, disable or remove the Widget Options plugin entirely.
  • Restrict access to the plugin’s configuration settings to administrative users only to limit exposure.

Generated by OpenCVE AI on April 16, 2026 at 05:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Marketingfire
Marketingfire widget-options
Wordpress
Wordpress wordpress
Vendors & Products Marketingfire
Marketingfire widget-options
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Generation of Code ('Code Injection') vulnerability in Marketing Fire Widget Options widget-options allows Code Injection.This issue affects Widget Options: from n/a through <= 4.1.3.
Title WordPress Widget Options plugin <= 4.1.3 - Remote Code Execution (RCE) vulnerability
Weaknesses CWE-94
References

Subscriptions

Marketingfire Widget-options
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:17.858Z

Reserved: 2026-02-25T12:12:49.962Z

Link: CVE-2026-27984

cve-icon Vulnrichment

Updated: 2026-03-06T20:50:26.343Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:30.510

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-27984

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:15:25Z

Weaknesses