Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Wed, 08 Jul 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 08 Jul 2026 05:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Totalbounty
Totalbounty widget Logic Visual Wordpress Wordpress wordpress |
|
| Vendors & Products |
Totalbounty
Totalbounty widget Logic Visual Wordpress Wordpress wordpress |
Wed, 08 Jul 2026 04:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Widget Logic Visual plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.52 via the widget_logic_visual_check_visibility function. This is due to missing capability check and nonce verification on the widget-logic-update-conditional-tags AJAX action combined with insufficient sanitization of the 'nwlv[cod-tag]' parameter before storage and subsequent use in an eval() call. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute code on the server. | |
| Title | Widget Logic Visual <= 1.52 - Authenticated (Subscriber+) Remote Code Execution via 'nwlv[cod-tag]' Parameter | |
| Weaknesses | CWE-434 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-07-08T12:45:11.101Z
Reserved: 2026-06-30T01:26:04.860Z
Link: CVE-2026-14158
Updated: 2026-07-08T12:45:07.785Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-08T05:30:03Z