CVE-2025-22630

CVE-2025-22630 is an Improper Neutralization of Special Elements used in a Command vulnerability, classified under CWE-77, that enables OS Command Injection in the Marketing Fire Widget Options (widget-options) WordPress plugin. This flaw affects all versions of the plugin from unknown initial release through 4.1.0 inclusive. Published on 2025-02-14, it carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and potential for scope expansion.

A remote attacker with low privileges, such as a WordPress user with contributor-level access or similar, can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows full control over the underlying operating system, achieving high-impact violations of confidentiality, integrity, and availability, including arbitrary code execution on the server hosting the vulnerable WordPress site.

The Patchstack advisory provides detailed analysis of the vulnerability, describing it as an arbitrary code execution issue in Widget Options plugin version 4.1.0; security practitioners should consult https://patchstack.com/database/Wordpress/Plugin/widget-options/vulnerability/wordpress-widget-options-plugin-4-1-0-arbitrary-code-execution-vulnerability?_s_id=cve for patch information, workaround guidance, and affected configurations.