CVE-2026-27984
Published: 05 March 2026
Summary
CVE-2026-27984 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-27984 is an Improper Control of Generation of Code ('Code Injection') vulnerability (CWE-94) in the Marketing Fire Widget Options plugin for WordPress, specifically the widget-options component. It affects all versions from n/a through 4.1.3. The vulnerability was published on 2026-03-05T06:16:30.510 and carries a CVSS v3.1 score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H), marking it as critical due to its potential for high-impact network-based exploitation.
Attackers with low privileges, such as authenticated WordPress users, can exploit this remotely by inducing user interaction (UI:R), such as clicking a malicious link or input. Exploitation enables remote code execution (RCE), allowing full compromise of the site with high confidentiality, integrity, and availability impacts in a chained scope (S:C).
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/widget-options/vulnerability/wordpress-widget-options-plugin-4-1-3-remote-code-execution-rce-vulnerability?_s_id=cve) confirms the RCE in Widget Options 4.1.3 and earlier, urging users to update to a patched version or remove the plugin immediately. No additional mitigations are detailed in the reference.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9654
Vulnerability details
Improper Control of Generation of Code ('Code Injection') vulnerability in Marketing Fire Widget Options widget-options allows Code Injection.This issue affects Widget Options: from n/a through <= 4.1.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Code injection (CWE-94) in public-facing WordPress plugin directly enables remote code execution via network attack against an Internet-accessible web application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and correction of the code injection flaw in Widget Options plugin versions through 4.1.3, directly preventing exploitation as urged by the Patchstack advisory.
Mandates validation of all information inputs to block malicious code injection via unsanitized user inputs in the widget-options component.
Limits system to least functionality by disabling or removing unnecessary plugins like the vulnerable Widget Options, reducing attack surface for low-privilege RCE.