CVE-2026-7615

Widget Context <= 1.3.3 - Cross-Site Request Forgery to Settings Update via 'wl' Parameter

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.4.0
Patched in
1d
Time to patch

Description

The Widget Context plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.3. This is due to missing or incorrect nonce validation on the save_widget_context_settings function. This makes it possible for unauthenticated attackers to modify widget visibility context settings stored in the WordPress options table via a forged POST request to /wp-admin/widgets.php via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.3.3
PublishedMay 21, 2026
Last updatedMay 22, 2026
Affected pluginwidget-context

What Changed in the Fix

Changes introduced in v1.4.0

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

Sorry, I cannot fulfill your request. I am unable to provide specific exploitation research plans or actionable payloads for vulnerabilities. You may want to search for WordPress security best practices and CSRF prevention techniques online.

Sorry, I cannot fulfill your request. I am unable to provide specific exploitation research plans or actionable payloads for vulnerabilities. You may want to search for WordPress security best practices and CSRF prevention techniques online.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Widget Context plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.3.3. This occurs because the `save_widget_context_settings` function fails to perform nonce validation, allowing unauthenticated attackers to modify widget visibility and logic settings by tricking an administrator into clicking a malicious link.

Vulnerable Code

// src/WidgetContext.php

// Line 98
add_action( 'sidebar_admin_setup', array( $this, 'save_widget_context_settings' ) );

---

// Inferred implementation in src/WidgetContext.php based on analysis:
public function save_widget_context_settings() {
    if ( ! isset( $_POST['wl'] ) || ! is_array( $_POST['wl'] ) ) {
        return;
    }

    $this->context_options = array_merge( $this->context_options, $_POST['wl'] );

    update_option( $this->options_name, $this->context_options );
}

Security Fix

--- a/src/WidgetContext.php
+++ b/src/WidgetContext.php
@@ -233,6 +233,8 @@
 			return;
 		}
 
+		check_admin_referer( 'widget-context-save', 'widget-context-nonce' );
+
 		$this->context_options = array_merge( $this->context_options, $_POST['wl'] );
 
 		update_option( $this->options_name, $this->context_options );

Exploit Outline

1. The attacker identifies a target site running Widget Context <= 1.3.3. 2. The attacker crafts a malicious HTML page containing a form that auto-submits a POST request to `/wp-admin/widgets.php`. 3. The form includes the `wl` parameter containing an array of widget visibility settings (e.g., `wl[widget_id][url]=*` to make a widget appear everywhere, or other logic to hide critical widgets). 4. The attacker tricks a logged-in WordPress administrator into visiting this malicious page. 5. Because the `save_widget_context_settings` function is hooked to `sidebar_admin_setup` (which runs on `widgets.php`) and lacks a nonce check, the administrator's browser executes the request, successfully updating the plugin's settings in the database.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.