CVE-2019-12826
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory, and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
CSRF in Widget Logic plugin before 5.10.2 allows remote attackers to execute PHP code via crafted POST request tricking admin into adding snippets.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in Widget Logic plugin before 5.10.2 allows remote attackers to execute PHP code via crafted POST request tricking admin into adding snippets.
Vulnerability
The Widget Logic plugin for WordPress before version 5.10.2 suffers from a Cross-Site Request Forgery (CSRF) vulnerability in widget_logic.php. An attacker can craft a malicious POST request that, when submitted by an authenticated administrator, injects PHP code snippets. These snippets are attached to widgets and later evaluated via eval() to determine widget visibility. The vulnerability is present in versions prior to 5.10.2.
Exploitation
An attacker must trick an authenticated WordPress administrator into making a POST request containing the malicious payload. This can be achieved through social engineering (e.g., a link or form submission on an attacker-controlled site). No other authentication or network position is required beyond the administrator's session. Once the request is processed, the PHP code snippet is saved and executed on subsequent page loads.
Impact
Successful exploitation allows remote attackers to execute arbitrary PHP code in the context of the WordPress installation. This can lead to full site compromise, including data theft, defacement, or further attacks on the server.
Mitigation
The plugin has been closed and removed from the WordPress.org directory as of April 14, 2026, and no patched version is available through official channels [1]. Users who have the plugin installed should remove it immediately and find alternative solutions. Consider using alternative widget visibility plugins. There is no official patch; the recommended mitigation is uninstalling the plugin.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <5.10.2
Patches
0widget-logicThis plugin has been removed from the WordPress.org directory on 2026-04-14. No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- dannewitz.ninja/posts/widget-logic-csrf-to-rcemitrex_refsource_MISC
- plugins.trac.wordpress.org/changeset/2112753/widget-logicmitrex_refsource_CONFIRM
- wpvulndb.com/vulnerabilities/9403mitrex_refsource_MISC
- wpvulndb.com/vulnerabilities/9413mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.