CVE-2026-7615

Name of the Vulnerable Software and Affected Versions Widget Context plugin for WordPress versions prior to 1.3.4

Description The plugin is susceptible to Cross-Site Request Forgery (CSRF), a flaw where an attacker tricks a victim into executing unwanted actions. This occurs because the save widget context settings() function lacks proper nonce validation. A nonce is a unique token used to verify that a request was intentionally sent by the user. Consequently, unauthenticated attackers can modify widget visibility context settings in the WordPress options table by sending a forged POST request to the '/wp-admin/widgets.php' endpoint, provided they can deceive a site administrator into clicking a malicious link.

Recommendations Update the plugin to a version later than 1.3.3. As a temporary workaround, restrict access to the '/wp-admin/widgets.php' endpoint or the save widget context settings() function to minimize the risk of exploitation.