CVE-2024-8672: Widget Options WordPress Plugin RCE Flaw

CVE-2024-8672 Overview

CVE-2024-8672 is a remote code execution vulnerability in the Widget Options WordPress plugin affecting all versions up to and including 4.0.7. The flaw exists in the display logic functionality that extends Beaver Builder, Elementor, and Gutenberg page builders. The plugin passes user-supplied input directly to PHP eval() without filtering or capability checks. Authenticated attackers with contributor-level access or higher can execute arbitrary PHP code on the server. The vulnerability is classified under CWE-94: Improper Control of Generation of Code.

Critical Impact

Contributor-level WordPress accounts can achieve full remote code execution, leading to complete site compromise and potential lateral movement into hosting infrastructure.

Affected Products

• Widget Options – The #1 WordPress Widget & Block Control Plugin (all versions ≤ 4.0.7)
• Sites using the plugin's Beaver Builder integration (beaver.php)
• Sites using the plugin's Elementor integration (render.php) and Gutenberg toolbar (gutenberg-toolbar.php)

Discovery Timeline

• 2024-11-28 - CVE-2024-8672 published to NVD
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2024-8672

Vulnerability Analysis

The Widget Options plugin provides display logic conditions allowing users to control widget visibility based on PHP expressions. The plugin evaluates these expressions using PHP's eval() function across three page builder integrations: Beaver Builder, Elementor, and Gutenberg. None of the affected code paths apply input sanitization, allowlisting, or capability-based access restrictions before invoking eval().

Any authenticated user with contributor permissions or higher can store malicious PHP expressions in widget configuration. When the widget renders, the plugin executes the supplied code in the WordPress server context. This grants the attacker the same privileges as the PHP-FPM or web server process.

The attack is network-accessible and requires no user interaction beyond the page rendering the affected widget. According to the public advisory, the patched version retains eval() usage rather than implementing an allowlist of permitted functions. Residual risk remains in the current fix design.

Root Cause

The root cause is direct invocation of eval() on attacker-controlled strings. The vulnerable sinks are located at includes/pagebuilders/beaver/beaver.php line 825, includes/pagebuilders/elementor/render.php line 379, and includes/widgets/gutenberg/gutenberg-toolbar.php line 718. The plugin treats display logic input as trusted PHP code instead of a constrained expression language.

Attack Vector

An attacker authenticates to WordPress using a contributor account, then creates or edits a widget that uses the plugin's display logic feature. The attacker supplies PHP code as the logic condition. When WordPress renders the page containing the widget, the plugin passes the string to eval(), executing the payload server-side. See the WordPress Beaver Builder Code and Wordfence Vulnerability Report for technical references.

No verified public proof-of-concept code is referenced in the advisory. The vulnerability mechanism is straightforward: any PHP expression supplied to the display logic field is executed without restriction.

Detection Methods for CVE-2024-8672

Indicators of Compromise

• New or modified PHP files in wp-content/uploads/ or plugin directories following widget configuration changes
• Outbound network connections from the web server to unexpected hosts immediately after widget rendering
• Unexpected creation of WordPress administrator accounts or modifications to wp_users and wp_usermeta tables
• WordPress option entries containing PHP function calls such as system, exec, shell_exec, passthru, or file_put_contents

Detection Strategies

• Audit the WordPress database for widget configuration entries containing PHP syntax such as backticks, $_GET, $_POST, or function calls
• Inspect web server access logs for contributor or author accounts editing widgets followed by anomalous page renders
• Monitor PHP error logs for eval()-related warnings originating from the Widget Options plugin paths

Monitoring Recommendations

• Alert on creation of new files by the web server user in writable WordPress directories
• Track the inventory of installed plugin versions and flag Widget Options installations at or below 4.0.7
• Correlate authentication events for low-privilege WordPress accounts with subsequent server process spawns such as sh, bash, or curl

How to Mitigate CVE-2024-8672

Immediate Actions Required

• Update the Widget Options plugin to a version newer than 4.0.7 per the WordPress Widget Options Changeset
• Audit all WordPress user accounts and remove unnecessary contributor, author, or editor roles
• Review widget configurations for any unexpected PHP expressions and remove suspicious entries
• Rotate WordPress secret keys in wp-config.php and force password resets for all privileged users

Patch Information

The vendor released a patch addressed in the changeset referenced above. The advisory notes that the maintainers did not implement an allowlist of permitted functions and continue to use eval() in the patched code path. Administrators should treat the fix as partial mitigation and apply defense-in-depth controls.

Workarounds

• Disable or uninstall the Widget Options plugin until a hardened fix is available
• Restrict the WordPress unfiltered_html and widget editing capabilities to administrators using a role management plugin
• Deploy a web application firewall rule that blocks PHP syntax patterns in widget save requests to admin-ajax.php and the REST API widget endpoints
• Configure PHP's disable_functions directive to remove dangerous functions such as system, exec, shell_exec, and passthru if not required by the application

# Example php.ini hardening to reduce eval() impact
disable_functions = system,exec,shell_exec,passthru,proc_open,popen,curl_exec,curl_multi_exec
allow_url_fopen = Off
allow_url_include = Off