CVE-2024-8672
Published: 28 November 2024
Summary
CVE-2024-8672 is a critical-severity Code Injection (CWE-94) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The Widget Options plugin for WordPress, versions up to and including 4.0.7, contains a remote code execution vulnerability in its display logic functionality that integrates with page builders such as Beaver Builder, Elementor, and Gutenberg. The flaw stems from insufficient input validation and capability checks around user-supplied data passed directly to PHP eval() calls, corresponding to CWE-94.
Authenticated users with contributor-level permissions or higher can supply crafted input through widget or block controls to execute arbitrary PHP code on the server, potentially achieving full site compromise given the CVSS 9.9 score reflecting network-accessible impact across confidentiality, integrity, and availability in a scoped context.
Advisories from Wordfence and the referenced plugin changesets indicate the issue is addressed in a subsequent release, though the vendor declined recommendations to restrict execution to administrators or enforce an allowlist of permitted functions, leaving residual risk in the implemented fix.
The associated EPSS score has reached a peak of 0.7927 with a current value of 0.7825.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-49590
Vulnerability details
The Widget Options – The #1 WordPress Widget & Block Control Plugin plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.0.7 via the display logic functionality that extends several page builders. This…
more
is due to the plugin allowing users to supply input that will be passed through eval() without any filtering or capability checks. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server. Special note: We suggested the vendor implement an allowlist of functions and limit the ability to execute commands to just administrators, however, they did not take our advice. We are considering this patched, however, we believe it could still be further hardened and there may be residual risk with how the issue is currently patched.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.