CVE-2026-7615 - Vulnerability Details

- Widget Context <= 1.3.3 - Cross-Site Request Forgery to Settings Update via 'wl' Parameter

Description

The Widget Context plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.3. This is due to missing or incorrect nonce validation on the save_widget_context_settings function. This makes it possible for unauthenticated attackers to modify widget visibility context settings stored in the WordPress options table via a forged POST request to /wp-admin/widgets.php via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published: 2026-05-22

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Widget Context plugin for WordPress has a missing or incorrectly implemented nonce check in its settings update routine, enabling a cross‑site request forgery attack. An attacker who can trick an authenticated administrator into visiting a crafted URL can submit a forged POST request to the /wp-admin/widgets.php endpoint and change the visibility context of widgets stored in the WordPress options table. This results in the attacker's ability to alter which users see which widgets, potentially exposing hidden content or degrading user experience.

Affected Systems

The vulnerability affects all installations of the Widget Context plugin by kasparsd running version 1.3.3 or earlier. Any WordPress site that has not upgraded beyond that version is exposed.

Risk and Exploitability

The vulnerability has a CVSS score of 4.3, indicating moderate impact and moderate likelihood of exploitation. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Because the flaw relies on CSRF, an attacker must first compromise the victim’s browser session and convince a site administrator to act, which raises the effort and skill required. Nonetheless, the potential for unauthorized configuration changes warrants prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

kasparsd

Widget Context

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.3.3

No data.

Vendor Product Confidence Versions

Kasparsd

Widget Context

100%

Version	Status	Scheme	Platform
`[0,1.3.3]`	affected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install the latest version of the Widget Context plugin that includes proper CSRF protection
If an upgrade cannot be deployed immediately, add an additional CSRF nonce check to the admin settings page or use a security plugin that enforces nonce validation on all admin posts
Restrict access to the WordPress admin area by IP address or enable two‑factor authentication to reduce the window of opportunity for forged requests

Generated by OpenCVE AI on May 22, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/kasparsd/widget-context-wporg/pull/73
https://plugins.trac.wordpress.org/browser/widget-context/tags/1.3.3/src/WidgetContext.php#L282
https://plugins.trac.wordpress.org/browser/widget-context/tags/1.3.3/src/WidgetContext.php#L311
https://plugins.trac.wordpress.org/browser/widget-context/tags/1.3.3/src/WidgetContext.php#L91
https://plugins.trac.wordpress.org/browser/widget-context/trunk/src/WidgetContext.php#L282
https://plugins.trac.wordpress.org/browser/widget-context/trunk/src/WidgetContext.php#L311
https://plugins.trac.wordpress.org/browser/widget-context/trunk/src/WidgetContext.php#L91
https://www.wordfence.com/threat-intel/vulnerabilities/id/3c434637-4bf9-46ee-9a6d-35eab7ef11a1?source=cve

History

Sat, 23 May 2026 03:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 22 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kasparsd Kasparsd widget Context Wordpress Wordpress wordpress
Vendors & Products		Kasparsd Kasparsd widget Context Wordpress Wordpress wordpress

Fri, 22 May 2026 08:45:00 +0000

Type	Values Removed	Values Added
Description		The Widget Context plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.3. This is due to missing or incorrect nonce validation on the save_widget_context_settings function. This makes it possible for unauthenticated attackers to modify widget visibility context settings stored in the WordPress options table via a forged POST request to /wp-admin/widgets.php via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title		Widget Context <= 1.3.3 - Cross-Site Request Forgery to Settings Update via 'wl' Parameter
Weaknesses		CWE-352
References		https://github.com/kasparsd/widget-context-wporg/pull/73 https://plugins.trac.wordpress.org/browser/widget-context/tags/1.3.3/src/WidgetContext.php#L282 https://plugins.trac.wordpress.org/browser/widget-context/tags/1.3.3/src/WidgetContext.php#L311 https://plugins.trac.wordpress.org/browser/widget-context/tags/1.3.3/src/WidgetContext.php#L91 https://plugins.trac.wordpress.org/browser/widget-context/trunk/src/WidgetContext.php#L282 https://plugins.trac.wordpress.org/browser/widget-context/trunk/src/WidgetContext.php#L311 https://plugins.trac.wordpress.org/browser/widget-context/trunk/src/WidgetContext.php#L91 https://www.wordfence.com/threat-intel/vulnerabilities/id/3c434637-4bf9-46ee-9a6d-35eab7ef11a1?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}`

Subscriptions

Kasparsd Widget Context

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-22T07:50:25.128Z

Updated: 2026-05-23T02:27:03.512Z

Reserved: 2026-05-01T13:11:17.046Z

Link: CVE-2026-7615

Vulnrichment

Updated: 2026-05-23T02:26:56.349Z

NVD

Status : Received

Published: 2026-05-22T09:16:32.250

Modified: 2026-05-22T09:16:32.250

Link: CVE-2026-7615

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-22T12:37:53Z

Weaknesses

CWE-352

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object