CVE-2025-32222
Published: 06 November 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-32222 is an Improper Control of Generation of Code ('Code Injection') vulnerability, classified under CWE-94, in the Widget Logic WordPress plugin (widget-logic) from Widgetlogic.org. This issue affects all versions of Widget Logic through 6.0.5.
The vulnerability carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity. A low-privileged remote attacker, such as an authenticated WordPress user, can exploit it over the network with low complexity and no user interaction required. Successful exploitation enables code injection, allowing the attacker to achieve high-impact remote code execution with full compromise of confidentiality, integrity, and availability across the changed scope.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/widget-logic/vulnerability/wordpress-widget-logic-6-0-5-remote-code-execution-rce-vulnerability?_s_id=cve) documents the remote code execution vulnerability in Widget Logic up to version 6.0.5.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a code injection flaw in a public-facing WordPress plugin, enabling low-privileged authenticated attackers to achieve remote code execution, directly mapping to exploitation of public-facing applications.