Widget Logic Visual <= 1.52 - Authenticated (Subscriber+) Remote Code Execution via 'nwlv[cod-tag]' Parameter

2026-07-07 16:29
Nabil Irawan

Strategic Overview

Status
Unpatched
Affected PluginWidget Logic Visual
Affected Version<= 1.52
CVSS8.8High
CVECVE-2026-14158
View all Widget Logic Visual vulnerabilities

Vulnerability Overview

The Widget Logic Visual plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.52 via the widget_logic_visual_check_visibility function. This is due to missing capability check and nonce verification on the widget-logic-update-conditional-tags AJAX action combined with insufficient sanitization of the 'nwlv[cod-tag]' parameter before storage and subsequent use in an eval() call. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute code on the server.

Technical Analysis

REMEDIATION: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement. --- IDENTIFIER: CWE-434 (Unrestricted Upload of File with Dangerous Type) The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

External References

Vulnerability data © Defiant, Inc., provided under the Wordfence Intelligence T&C

Widget Logic Visual <= 1.52 - Authenticated (Subscriber+) Remote Code Execution via 'nwlv[cod-tag]' Parameter (CVE-2026-14158)