Cyber Resilience

CVE-2026-27984

CriticalRCE

Published: 05 March 2026

Published
05 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0027 18.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-27984 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27984 is an Improper Control of Generation of Code ('Code Injection') vulnerability (CWE-94) in the Marketing Fire Widget Options plugin for WordPress, specifically the widget-options component. It affects all versions from n/a through 4.1.3. The vulnerability was published on 2026-03-05T06:16:30.510 and carries a CVSS v3.1 score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H), marking it as critical due to its potential for high-impact network-based exploitation.

Attackers with low privileges, such as authenticated WordPress users, can exploit this remotely by inducing user interaction (UI:R), such as clicking a malicious link or input. Exploitation enables remote code execution (RCE), allowing full compromise of the site with high confidentiality, integrity, and availability impacts in a chained scope (S:C).

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/widget-options/vulnerability/wordpress-widget-options-plugin-4-1-3-remote-code-execution-rce-vulnerability?_s_id=cve) confirms the RCE in Widget Options 4.1.3 and earlier, urging users to update to a patched version or remove the plugin immediately. No additional mitigations are detailed in the reference.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Control of Generation of Code ('Code Injection') vulnerability in Marketing Fire Widget Options widget-options allows Code Injection.This issue affects Widget Options: from n/a through <= 4.1.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Code injection (CWE-94) in public-facing WordPress plugin directly enables remote code execution via network attack against an Internet-accessible web application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41229Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2026-40563Shared CWE-94
CVE-2024-32641Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-2052Shared CWE-94
CVE-2026-9170Shared CWE-94
CVE-2025-54451Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2025-22204Shared CWE-94

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of the code injection flaw in Widget Options plugin versions through 4.1.3, directly preventing exploitation as urged by the Patchstack advisory.

prevent

Mandates validation of all information inputs to block malicious code injection via unsanitized user inputs in the widget-options component.

prevent

Limits system to least functionality by disabling or removing unnecessary plugins like the vulnerable Widget Options, reducing attack surface for low-privilege RCE.

References