CVE-2024-8672: CWE-94 Improper Control of Generation of Code ('Code Injection') in marketingfire Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets
The Widget Options – The #1 WordPress Widget & Block Control Plugin plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.0.7 via the display logic functionality that extends several page builders. This is due to the plugin allowing users to supply input that will be passed through eval() without any filtering or capability checks. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server. Special note: We suggested the vendor implement an allowlist of functions and limit the ability to execute commands to just administrators, however, they did not take our advice. We are considering this patched, however, we believe it could still be further hardened and there may be residual risk with how the issue is currently patched.
AI Analysis
Technical Summary
The vulnerability CVE-2024-8672 affects the marketingfire WordPress plugin 'Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets' in all versions up to 4.0.7. It is caused by improper control of code generation (CWE-94) where user input is passed directly to eval() without validation or capability checks. This flaw enables authenticated attackers with contributor or higher privileges to execute arbitrary code remotely on the server, leading to full compromise. The vendor has issued a patch, but it lacks some recommended security hardening, which may leave residual risk.
Potential Impact
Successful exploitation allows authenticated users with contributor-level access or above to execute arbitrary code on the server, potentially leading to complete server compromise, data loss, or service disruption. The vulnerability has a CVSS score of 9.9 (critical), reflecting its high impact on confidentiality, integrity, and availability. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
A patch has been applied by the vendor; however, it does not fully implement all recommended security measures such as function allowlisting or restricting code execution to administrators only. Users should update to the latest plugin version provided by the vendor. Due to potential residual risk, monitoring for plugin updates and vendor advisories is recommended. Patch status is not explicitly confirmed in vendor advisory content, so users should verify the latest plugin version and vendor guidance before deployment.
CVE-2024-8672: CWE-94 Improper Control of Generation of Code ('Code Injection') in marketingfire Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets
Description
The Widget Options – The #1 WordPress Widget & Block Control Plugin plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.0.7 via the display logic functionality that extends several page builders. This is due to the plugin allowing users to supply input that will be passed through eval() without any filtering or capability checks. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server. Special note: We suggested the vendor implement an allowlist of functions and limit the ability to execute commands to just administrators, however, they did not take our advice. We are considering this patched, however, we believe it could still be further hardened and there may be residual risk with how the issue is currently patched.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2024-8672 affects the marketingfire WordPress plugin 'Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets' in all versions up to 4.0.7. It is caused by improper control of code generation (CWE-94) where user input is passed directly to eval() without validation or capability checks. This flaw enables authenticated attackers with contributor or higher privileges to execute arbitrary code remotely on the server, leading to full compromise. The vendor has issued a patch, but it lacks some recommended security hardening, which may leave residual risk.
Potential Impact
Successful exploitation allows authenticated users with contributor-level access or above to execute arbitrary code on the server, potentially leading to complete server compromise, data loss, or service disruption. The vulnerability has a CVSS score of 9.9 (critical), reflecting its high impact on confidentiality, integrity, and availability. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
A patch has been applied by the vendor; however, it does not fully implement all recommended security measures such as function allowlisting or restricting code execution to administrators only. Users should update to the latest plugin version provided by the vendor. Due to potential residual risk, monitoring for plugin updates and vendor advisories is recommended. Patch status is not explicitly confirmed in vendor advisory content, so users should verify the latest plugin version and vendor guidance before deployment.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-09-10T18:16:22.503Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6c2eb7ef31ef0b560e39
Added to database: 2/25/2026, 9:39:58 PM
Last enriched: 4/9/2026, 3:15:23 PM
Last updated: 4/11/2026, 9:29:12 PM
Views: 15
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.