PLUGIN SECURITY
Is Widget Options safe?
Known vulnerabilities, PHP compatibility and safer alternatives for the Widget Options WordPress plugin — checked against WP Clinic's local security database.
Plugin details
- Slug:
widget-options - Requires PHP: 7.4+
- Max supported PHP (analyzed): 8.4
Known vulnerabilities
- Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets [widget-options] < 4.0.2 [CVE-2024-35690, WordPress Widget Options Plugin <= 4.0.1 is vulnerable to Sensitive Data Exposure, WordPress Widget Options Plugin <= 4.0.1 is vulnerable to Sensitive Data Exposure]
- Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets [widget-options] < 4.0.2 [CVE-2024-35691, Widget Options - Extended <= 5.1.0 & Widget Options <= 4.0.1 - Authenticated (Subscriber+) Information Disclosure]
- Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets [widget-options] < 4.0.8 [CVE-2024-8672, Widget Options – The #1 WordPress Widget & Block Control Plugin <= 4.0.7 - Authenticated (Contributor+) Remote Code Execution, WordPress Widget Options Plugin <= 4.0.7 is vulnerable to Remote Code Execution (RCE)]
- Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets [widget-options] < 4.0.8 [CVE-2024-56219, WordPress Widget Options Plugin <= 4.0.6.1 is vulnerable to Broken Access Control, Widget Options <= 4.0.6.1 - Missing Authorization]
- Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets [widget-options] < 4.0.9 [CVE-2025-22722, Widget Options <= 4.0.8 - Missing Authorization to Notice Dismissal, EUVD-2025-2943]
+ 5 more known vulnerabilities
- Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets [widget-options] < 4.1.1 [CVE-2025-22630, Widget Options <= 4.1.0 - Authenticated (Contributor+) Remote Code Execution, EUVD-2025-2895]
- Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets [widget-options] < 4.1.3 [CVE-2025-10580, EUVD-2025-35925, Widget Options – The #1 WordPress Widget & Block Control Plugin <= 4.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting]
- Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets [widget-options] < 4.2.0 [CVE-2026-27984, Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets <= 4.1.3 - Authenticated (Contributor+) Remote Code Execution]
- Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets [widget-options] < 4.2.3 [CVE-2026-2052, Widget Options <= 4.2.2 - Authenticated (Contributor+) Remote Code Execution via Display Logic, EUVD-2026-26754]
- Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets [widget-options] < 4.2.4 [CVE-2026-54823, Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets <= 4.2.3 - Authenticated (Contributor+) Remote Code Execution]
Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.
Safer / more established alternatives
- Classic Widgets — 2000000+ active installs — max PHP 8.4
- Custom Sidebars – Dynamic Sidebar Classic Widget Area Manager — 100000+ active installs — max PHP 8.4
- Classic Editor + — 40000+ active installs — max PHP 8.4
- Content Aware Sidebars – Fastest Widget Area Plugin — 30000+ active installs
- Classic Editor and Classic Widgets — 20000+ active installs
Check your own WordPress site
Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.