CVE-2019-12826

Published: Jul 1, 2019Modified: Jun 17, 2026

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

A Cross-Site-Request-Forgery (CSRF) vulnerability in widget_logic.php in the 2by2host Widget Logic plugin before 5.10.2 for WordPress allows remote attackers to execute PHP code via snippets (that are attached to widgets and then eval'd to dynamically determine their visibility) by crafting a malicious POST request that tricks administrators into adding the code.

Affected (1)

Products: Wpchef: Widget Logic

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Wpchef Widget Logic	Before 5.10.2

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (8)

https://dannewitz.ninja/posts/widget-logic-csrf-to-rce

Source: cve@mitre.org

ExploitThird Party Advisory

https://plugins.trac.wordpress.org/changeset/2112753/widget-logic

Source: cve@mitre.org

Third Party Advisory

https://wpvulndb.com/vulnerabilities/9403

Source: cve@mitre.org

https://wpvulndb.com/vulnerabilities/9413

Source: cve@mitre.org

https://dannewitz.ninja/posts/widget-logic-csrf-to-rce

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://plugins.trac.wordpress.org/changeset/2112753/widget-logic

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://wpvulndb.com/vulnerabilities/9403

Source: af854a3a-2127-422b-91ae-364da2661108

https://wpvulndb.com/vulnerabilities/9413

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.