CVE-2025-22630
Published: 14 February 2025
Summary
CVE-2025-22630 is a critical-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is an OS command injection flaw, tracked as CVE-2025-22630 and assigned CWE-77, that affects the Widget Options WordPress plugin in all versions through 4.1.0. The issue stems from improper neutralization of special elements in commands, allowing an attacker to inject and execute arbitrary operating-system commands. It carries a CVSS 3.1 score of 9.9, reflecting network attack vector, low complexity, low required privileges, and changed scope with high impact on confidentiality, integrity, and availability.
An authenticated attacker with low privileges can exploit the flaw over the network to achieve arbitrary code execution on the underlying server. Successful exploitation grants the ability to run operating-system commands, potentially leading to full system compromise within the affected WordPress installation.
The single reference advisory from Patchstack explicitly labels the issue as an arbitrary-code-execution vulnerability in the Widget Options plugin at version 4.1.0. The EPSS score rose from a low baseline to a recorded peak of 0.0121, indicating emerging exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2895
Vulnerability details
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Marketing Fire Widget Options widget-options allows OS Command Injection.This issue affects Widget Options: from n/a through <= 4.1.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing WordPress plugin enables exploitation of public-facing applications (T1190) for arbitrary code execution and use of command/scripting interpreters (T1059) on the server.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the known command injection flaw in the Widget Options WordPress plugin through patching, directly eliminating the vulnerability.
Mandates validation and sanitization of all inputs to prevent improper neutralization of special elements leading to OS command injection.
Enforces least privilege for low-privilege WordPress users and web server processes, limiting the impact of successful command injection exploitation.