The WordPress plugin Widget Options — Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets has a remote code execution flaw, tracked as CVE-2026-2052, that’s still not fully patched. Anyone with Contributor-level access or higher on a vulnerable site can run code on the server, hijack the install, and pivot into the rest of the hosting environment. The advisory was published 2 May 2026 with a CVSS score of 8.8 (High), as catalogued by OffSeq’s threat radar.

Who’s affected

Any site running Widget Options at version 4.2.2 or below. The vendor pushed a partial fix in 4.2.0, but researchers showed the blocklist can still be bypassed using array_map with string concatenation. So even sites that look up to date are still exposed.

Why it matters for Australian SMBs

WordPress runs the front door for a huge slice of Australian small business — hospitality websites, NFP donation pages, broker portals, club booking systems, the lot. If an attacker lands code execution on your site, they can drop a webshell, harvest customer data, or use your domain to phish other people. Under the OAIC’s tougher 2026 enforcement posture, exposing client data through a third-party plugin is still a notifiable breach — and the regulator has been clear that excessive plugin sprawl and weak access controls are squarely in scope.

What to do today

• Audit every WordPress site you own or manage. Look in wp-content/plugins for widget-options.
• Lock down Contributor and Author roles — only give them to people you’d trust with a server login.
• Disable or remove the plugin until the vendor ships a fully-patched release.
• If you’re running e-commerce or storing customer data, run a malware scan (Wordfence, Sucuri) and review recent admin activity.

If you’re not sure who has Contributor access on your site or whether your plugins are being kept current, talk to us — that’s the kind of housekeeping our managed cybersecurity service covers by default.