Overview

A critical Code Injection vulnerability (CVE-2026-25447) has been identified in Jonathan Daggerhart's Widget Wrangler WordPress plugin, affecting all versions up to and including 2.3.9. Published on March 25, 2026, this vulnerability carries a CVSS score of 9.1 and allows an attacker to inject arbitrary code that the application executes, potentially leading to full system compromise.

Description

CVE-2026-25447 is an Improper Control of Generation of Code (Code Injection) vulnerability with a CVSS score of 9.1, affecting Widget Wrangler versions up to and including 2.3.9. The plugin fails to adequately sanitize or validate user-supplied input before incorporating it into dynamically generated code. When the application subsequently executes this code, the attacker's malicious input runs in the application's context. Exploitation requires Author-level privileges, meaning an attacker who has obtained Author access to a WordPress installation can inject arbitrary PHP code, leading to remote code execution on the server hosting the WordPress site.

Impact

Successful exploitation of this vulnerability allows an authenticated attacker with Author-level privileges to execute arbitrary code on the server, potentially leading to complete site compromise, unauthorized access to sensitive data, and persistent backdoor installation.

Solution

Users are advised to update the Widget Wrangler plugin to the latest patched version immediately. If an update is not yet available, consider disabling the plugin and applying Web Application Firewall (WAF) virtual patching rules. Audit and minimize user role assignments, ensuring that Author-level accounts are restricted to trusted users only.

References

• 1. https://www.thehackerwire.com/jonathan-daggerhart-widget-wrangler-critical-code-injection-cve-2026-25447/