A critical code injection vulnerability in the Widget Wrangler WordPress plugin allows attackers to execute arbitrary code, potentially leading to full system compromise.

This is a Code Injection vulnerability in the widget-wrangler component. The application fails to properly control the generation of code, allowing an attacker to inject malicious logic that the server then executes.

An attacker can exploit this flaw to execute arbitrary commands, access the database, or modify site content. This level of access results in a complete compromise of the application's confidentiality and integrity. The CVSS score of 9.1 confirms the high severity and urgency of this issue.

Immediate Action: Update Widget Wrangler to the latest version (v2.4.0 or higher) immediately to patch the vulnerable code generation logic.

Proactive Monitoring: Monitor for unauthorized changes to widget configurations and review logs for suspicious PHP execution patterns.

Compensating Controls: Restrict access to the WordPress administrative dashboard and use a WAF to filter out common code injection payloads.

Public Exploit Available: No

Promptly applying the vendor's patch is the only effective way to mitigate this risk. Given the high CVSS score, we recommend that this update be treated as a priority to prevent unauthorized code execution and maintain the security of the WordPress platform.