CVE-2026-14158
Last modified
CVE-2026-14158 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. The Widget Logic Visual plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.52 via the widget_logic_visual_check_visibility function. This is due to missing capability check and nonce verification on the widget-logic-update-conditional-tags AJAX action combined with insufficient sanitization of the 'nwlv[cod-tag]' parameter before storage and subsequent use in an eval() call. EPSS estimates a 0.52% chance of exploitation in the next 30 days.
Description
The Widget Logic Visual plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.52 via the widget_logic_visual_check_visibility function. This is due to missing capability check and nonce verification on the widget-logic-update-conditional-tags AJAX action combined with insufficient sanitization of the 'nwlv[cod-tag]' parameter before storage and subsequent use in an eval() call. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute code on the server.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
Source: CNA advisory (CVE.org). NVD analysis pending.
| Vendor | Product | Versions |
|---|---|---|
| totalbounty | Widget Logic Visual | <= 1.52 |
References
Timeline
- Published
- Last Modified
- Status
- Deferred
Frequently Asked Questions
What is CVE-2026-14158?
How severe is CVE-2026-14158?
How do I fix CVE-2026-14158?
Related CVEs from 2026
- CVE-2026-14151Inappropriate implementation in AI in Google Chrome prior to…8.3
- CVE-2026-14152Out of bounds read and write in ANGLE in Google Chrome prior…9.6
- CVE-2026-14153Inappropriate implementation in Glic in Google Chrome prior …5.3
- CVE-2026-14154Inappropriate implementation in DevTools in Google Chrome pr…4.8
- CVE-2026-14155Insufficient policy enforcement in StorageAccessAPI in Googl…6.5
- CVE-2026-14156Insufficient policy enforcement in StorageAccessAPI in Googl…6.5
- CVE-2026-1416A security flaw has been discovered in GPAC up to 2.4.0. Aff…3.3
- CVE-2026-14160Time-of-check time-of-use (TOCTOU) race condition vulnerabil…5.9
- CVE-2026-14161Hospital Quening Management developed by Advantech has a Sen…8.7
- CVE-2026-14162Hospital Queuing Management developed by Advantech has a Sen…9.8
- CVE-2026-14164A double free issue has been identified in libarchive's RAR5…7.5
- CVE-2026-1417A weakness has been identified in GPAC up to 2.4.0. Affected…3.3
Are you affected by CVE-2026-14158?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
