CVE-2026-2052
Published: 02 May 2026
Summary
CVE-2026-2052 is a high-severity Code Injection (CWE-94) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-2052 is a remote code execution vulnerability (CWE-94) affecting the Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin for WordPress, in all versions up to and including 4.2.2. The flaw resides in the Display Logic feature, where the plugin executes eval() on user-supplied expressions protected by an insufficient blocklist/allowlist. This protection can be bypassed via array_map combined with string concatenation, compounded by missing authorization enforcement on the extended_widget_opts_block attribute. The CVSS v3.1 base score is 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Authenticated attackers with Contributor-level access or higher can exploit the vulnerability remotely without user interaction. By crafting malicious Display Logic expressions, they can execute arbitrary code on the affected WordPress server, potentially leading to full server compromise including high confidentiality, integrity, and availability impacts.
References in the WordPress plugin Trac repository highlight affected code locations, such as extras.php lines 495 and 534, and gutenberg-toolbar.php line 843, along with mitigation changesets 3481338 and 3514411. The vulnerability was partially patched in version 4.2.0, though security practitioners should verify full remediation and update to the latest version beyond 4.2.2.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26754
Vulnerability details
The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.2 via the Display Logic feature. This is due to the…
more
plugin using eval() on user-supplied Display Logic expressions with an insufficient blocklist/allowlist that can be bypassed using array_map with string concatenation, combined with a lack of authorization enforcement on the extended_widget_opts_block attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. The vulnerability was partially patched in version 4.2.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE in public-facing WordPress plugin via eval() bypass enables exploitation of public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of user-supplied Display Logic expressions to block malicious inputs that bypass the blocklist and enable eval-based code execution.
Enforces authorization on sensitive attributes like extended_widget_opts_block to prevent Contributor-level users from supplying executable expressions.
Applies least privilege to restrict Contributor and equivalent roles from accessing or modifying features that could lead to arbitrary code execution.