Paul Dannewitz

**Name of the Vulnerable Software and Affected Versions** 2by2host Widget Logic plugin versions prior to 5.10.2 **Description** A Cross-Site-Request-Forgery (CSRF) issue allows remote attackers to execute PHP code by crafting a malicious POST request that tricks administrators into adding the code. This is achieved through snippets attached to widgets, which are then evaluated to dynamically determine their visibility. **Recommendations** For versions prior to 5.10.2, update to version 5.10.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the widget logic.php file to minimize the risk of exploitation. Avoid using the eval function for snippets attached to widgets until the issue is resolved.