CVE-2024-8672: 
WordPress vulnerability analysis and mitigation

The Widget Options – The #1 WordPress Widget & Block Control Plugin for WordPress contains a critical Remote Code Execution vulnerability (CVE-2024-8672) affecting all versions up to and including 4.0.7. The vulnerability was discovered and reported by security researcher Webbernaut, with the issue being publicly disclosed on November 28, 2024. This popular plugin, which has over 100,000 active installations, received a critical CVSS v3.1 score of 9.9 (NVD, SecurityOnline).

The vulnerability exists in the plugin's display logic functionality that extends several page builders. The security flaw stems from the plugin allowing users to supply input that is passed through the eval() function without proper filtering or capability checks. This implementation has been classified as CWE-94 (Improper Control of Generation of Code). The vulnerability has been assigned a CVSS v3.1 Base Score of 9.9 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (NVD).

The vulnerability enables authenticated attackers with contributor-level access or higher to execute arbitrary code on the server. This could potentially lead to complete server compromise, allowing attackers to gain unauthorized access to sensitive information, modify website content, and potentially affect the entire WordPress installation (SecurityOnline).

A patch has been released in version 4.0.8 of the Widget Options plugin. However, security researchers note that the current patch might not be completely foolproof, as the vendor did not fully implement the recommended security measures, including the suggested allowlist of functions and limiting command execution to administrators only. Users are strongly advised to update to version 4.0.8 immediately and monitor their sites for suspicious activity (ASEC, SecurityOnline).