A critical RCE vulnerability in the Widget Options plugin permits contributor-level users to execute arbitrary code, threatening the security of the hosting environment.

This is a remote code execution (RCE) vulnerability that is accessible to authenticated users with the "contributor" role. The flaw allows such users to bypass intended restrictions and execute code on the underlying server.

With a CVSS score of 9.9, this vulnerability poses a severe threat to any WordPress site utilizing the Widget Options plugin. An attacker with low-level contributor access can escalate their privileges to achieve full server compromise, leading to data loss, site defacement, or the installation of malicious software.

Immediate Action: Update the Widget Options plugin to the latest version immediately to resolve the RCE vulnerability.

Proactive Monitoring: Audit user accounts to ensure no unauthorized users hold "contributor" or higher privileges and review server logs for suspicious PHP execution patterns.

Compensating Controls: If an immediate update is not possible, disable the Widget Options plugin entirely until a verified patch can be applied.

Public Exploit Available: No

The severity of this RCE vulnerability cannot be overstated. Security teams must ensure that all instances of the Widget Options plugin are updated beyond version 4.2.3 to eliminate the risk of privilege escalation and code execution by malicious contributors.