CVE-2026-27984 PUBLISHED

WordPress Widget Options plugin <= 4.1.3 - Remote Code Execution (RCE) vulnerability

Assigner: Patchstack
Reserved: 25.02.2026 Published: 05.03.2026 Updated: 05.03.2026

Improper Control of Generation of Code ('Code Injection') vulnerability in Marketing Fire Widget Options widget-options allows Code Injection.This issue affects Widget Options: from n/a through <= 4.1.3.

Product Status

Vendor	Marketing Fire
Product	Widget Options
Versions	Default: unaffected affected from n/a to <= 4.1.3 (incl.)

Credits

mcdruid | Patchstack Bug Bounty Program finder

References

https://patchstack.com/database/Wordpress/Plugin/widget-options/vulnerability/wordpress-widget-options-plugin-4-1-3-remote-code-execution-rce-vulnerability?_s_id=cve

Problem Types

Improper Control of Generation of Code ('Code Injection') CWE

Impacts

Code Injection