CVE-2026-2052

Name of the Vulnerable Software and Affected Versions Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets versions prior to 4.2.3

Description Remote Code Execution is possible via the Display Logic feature. The issue arises because the plugin uses the eval() function on user-supplied Display Logic expressions with an insufficient blocklist/allowlist that can be bypassed using array map with string concatenation. Additionally, there is a lack of authorization enforcement on the extended widget opts block attribute. This allows authenticated attackers with Contributor-level access or higher to execute arbitrary code on the server.

Recommendations Update to a version later than 4.2.2.