CVE-2024-8672
CVSS 3.1 Score 9.9 of 10 (high)
Details
Summary
CVE-2024-8672 is a Remote Code Execution vulnerability affecting the Widget Options plugin for WordPress, versions up to 4.0.7. The issue lies in the display logic functionality that extends several page builders, which allows users to bypass filtering and capability checks, leading authenticated attackers with contributor-level access or higher to execute code on the server. The vendor was advised to implement an allowlist of functions and restrict command execution to administrators, but the recommendation was not implemented. While the vulnerability has been acknowledged, further hardening measures may be necessary to mitigate potential residual risks.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.