Cyber Resilience

CVE-2026-25447

CriticalRCE

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0031 23.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25447 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25447 is an Improper Control of Generation of Code ('Code Injection') vulnerability, classified under CWE-94, in the Widget Wrangler WordPress plugin by Jonathan Daggerhart. This issue affects the widget-wrangler plugin from n/a through version 2.3.9 inclusive. The vulnerability was published on 2026-03-25 and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

Exploitation requires high privileges (PR:H), such as those held by an authenticated administrator, but can be conducted remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation leads to remote code execution, enabling full compromise of confidentiality, integrity, and availability (C:H/I:H/A:H) across the affected system's scope (S:C).

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/widget-wrangler/vulnerability/wordpress-widget-wrangler-plugin-2-3-9-remote-code-execution-rce-vulnerability?_s_id=cve documents this as a remote code execution vulnerability in the WordPress Widget Wrangler plugin version 2.3.9 and provides details on the issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Control of Generation of Code ('Code Injection') vulnerability in Jonathan Daggerhart Widget Wrangler widget-wrangler allows Code Injection.This issue affects Widget Wrangler: from n/a through <= 2.3.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Code injection (CWE-94) RCE in public-facing WordPress plugin directly enables exploitation of internet-facing apps (T1190) to achieve arbitrary command execution via Unix/PHP shell (T1059.004) or web shell deployment (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28134Shared CWE-94
CVE-2024-56278Shared CWE-94
CVE-2026-26830Shared CWE-94
CVE-2024-54804Shared CWE-94
CVE-2026-30117Shared CWE-94
CVE-2025-67038Shared CWE-94
CVE-2024-54724Shared CWE-94
CVE-2024-54806Shared CWE-94
CVE-2026-32367Shared CWE-94
CVE-2024-36057Shared CWE-94

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents code injection exploitation in Widget Wrangler by enforcing validation and sanitization of all inputs used in dynamic code generation.

prevent

Mitigates CVE-2026-25447 by requiring timely identification, prioritization, and remediation of flaws such as this plugin vulnerability through patching to version >2.3.9.

prevent

Reduces risk of PR:H exploitation in Widget Wrangler by enforcing least privilege, ensuring users lack unnecessary administrative access to vulnerable widget functions.

References