CVE-2024-8672

Name of the Vulnerable Software and Affected Versions: The Widget Options – The #1 WordPress Widget & Block Control Plugin versions up to, and including, 4.0.7

Description: The issue is related to the eval() function in the plugin, which allows users to supply input that will be passed through without any filtering or capability checks. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server. The vulnerability is due to the plugin's display logic functionality that extends several page builders. It is estimated that over 100,000 websites using the plugin are potentially affected.

Recommendations: For versions up to, and including, 4.0.7, update to version 4.0.8 immediately to resolve the issue. As a temporary workaround, consider restricting access to the display logic functionality to minimize the risk of exploitation. Additionally, limiting the ability to execute commands to just administrators can help mitigate the risk.