Cyber Resilience

CVE-2026-2052

HighRCE

Published: 02 May 2026

Published
02 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0077 51.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-2052 is a high-severity Code Injection (CWE-94) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-2052 is a remote code execution vulnerability (CWE-94) affecting the Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin for WordPress, in all versions up to and including 4.2.2. The flaw resides in the Display Logic feature, where the plugin executes eval() on user-supplied expressions protected by an insufficient blocklist/allowlist. This protection can be bypassed via array_map combined with string concatenation, compounded by missing authorization enforcement on the extended_widget_opts_block attribute. The CVSS v3.1 base score is 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Authenticated attackers with Contributor-level access or higher can exploit the vulnerability remotely without user interaction. By crafting malicious Display Logic expressions, they can execute arbitrary code on the affected WordPress server, potentially leading to full server compromise including high confidentiality, integrity, and availability impacts.

References in the WordPress plugin Trac repository highlight affected code locations, such as extras.php lines 495 and 534, and gutenberg-toolbar.php line 843, along with mitigation changesets 3481338 and 3514411. The vulnerability was partially patched in version 4.2.0, though security practitioners should verify full remediation and update to the latest version beyond 4.2.2.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.2 via the Display Logic feature. This is due to the…

more

plugin using eval() on user-supplied Display Logic expressions with an insufficient blocklist/allowlist that can be bypassed using array_map with string concatenation, combined with a lack of authorization enforcement on the extended_widget_opts_block attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. The vulnerability was partially patched in version 4.2.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct RCE in public-facing WordPress plugin via eval() bypass enables exploitation of public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41229Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2026-40563Shared CWE-94
CVE-2024-32641Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-9170Shared CWE-94
CVE-2025-54451Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2025-22204Shared CWE-94
CVE-2026-8855Shared CWE-94

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of user-supplied Display Logic expressions to block malicious inputs that bypass the blocklist and enable eval-based code execution.

prevent

Enforces authorization on sensitive attributes like extended_widget_opts_block to prevent Contributor-level users from supplying executable expressions.

prevent

Applies least privilege to restrict Contributor and equivalent roles from accessing or modifying features that could lead to arbitrary code execution.

References