Title: Arbitrary Code Execution Last modified: February 13, 2025 --- # Arbitrary Code Execution * Resolved [bindevid](https://wordpress.org/support/users/bindevid/) * (@bindevid) * [1 year, 3 months ago](https://wordpress.org/support/topic/arbitrary-code-execution/) * WordPress Widget Options Plugin <= 4.1.0 – Arbitrary Code Execution vulnerability * Severity is rated at 9.9!!! Viewing 4 replies - 16 through 19 (of 19 total) [←](https://wordpress.org/support/topic/arbitrary-code-execution/?output_format=md) [1](https://wordpress.org/support/topic/arbitrary-code-execution/?output_format=md) 2 * [aparentdesign](https://wordpress.org/support/users/aparentdesign/) * (@aparentdesign) * [6 months, 2 weeks ago](https://wordpress.org/support/topic/arbitrary-code-execution/page/2/#post-18706971) * Have any of the recent updates addressed this issue? the only admins on our site are system administrators who do not post content. We use User Role Editor plugin to allow editors and manager roles to access widgets. Can this access be connected between the two plugins? * Plugin Author [Mej de Castro](https://wordpress.org/support/users/mej/) * (@mej) * [6 months, 2 weeks ago](https://wordpress.org/support/topic/arbitrary-code-execution/page/2/#post-18711615) * Hi [@aparentdesign](https://wordpress.org/support/users/aparentdesign/), * Some access has been restricted to **Administrators only** because certain features— particularly in the **Conditional Logic** section — can introduce potential vulnerabilities for website owners. As a temporary solution, these functionalities are now limited to Administrators, even if other roles are modified using the **User Role Editor** plugin. * Could you please let us know which specific functionalities are not accessible when a non-Administrator role is edited using the User Role Editor plugin? This will help us review and determine if adjustments can be made. * Kind Regards, Mej, Widget Options Team * [aparentdesign](https://wordpress.org/support/users/aparentdesign/) * (@aparentdesign) * [6 months, 1 week ago](https://wordpress.org/support/topic/arbitrary-code-execution/page/2/#post-18713938) * Hi, I’m aware of the restriction, and restricting access for non-admins has been a “temporary” fix for months. Are other solutions in development? Conditional logic is the main reason we use your plugin, so that is the feature that our custom roles need to access. Again the only “admins” on this site are network administrators who do not post content. We use User Role Editor to create/edit roles such as Manager and Editor that have enough access to add/edit text widgets, etc without granting full admin rights.We use conditional logic to show widgets on certain posts using the is_single() function. We have many many widgets organized this way.If the php functions are a risk, that why not have posts use the same WYSIWYG functionality your pages feature has? It’s a search function you have already created. No need for user php at all. * ![](https://wordpress.org/49af6f20-4bbf-44ea-bc86-c3c09a8bc836) * Plugin Author [Mej de Castro](https://wordpress.org/support/users/mej/) * (@mej) * [6 months, 1 week ago](https://wordpress.org/support/topic/arbitrary-code-execution/page/2/#post-18715008) * Hi [@aparentdesign](https://wordpress.org/support/users/aparentdesign/), * Regarding the solution for non-admin access, our dev team is still actively working on a possible fix that would allow non-admin users to access the Conditional Logic tab without introducing any vulnerabilities. * According to our developers, the Conditional Logic tab may receive a new UX and additional security features. We’re currently testing these updates before implementing them. * We truly appreciate your patience as we work toward providing a permanent solution for non-admin users while maintaining the plugin’s security. * Regards, Viewing 4 replies - 16 through 19 (of 19 total) [←](https://wordpress.org/support/topic/arbitrary-code-execution/?output_format=md) [1](https://wordpress.org/support/topic/arbitrary-code-execution/?output_format=md) 2 The topic ‘Arbitrary Code Execution’ is closed to new replies. * ![](https://ps.w.org/widget-options/assets/icon-256x256.gif?rev=2513739) * [Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets](https://wordpress.org/plugins/widget-options/) * [Frequently Asked Questions](https://wordpress.org/plugins/widget-options/#faq) * [Support Threads](https://wordpress.org/support/plugin/widget-options/) * [Active Topics](https://wordpress.org/support/plugin/widget-options/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/widget-options/unresolved/) * [Reviews](https://wordpress.org/support/plugin/widget-options/reviews/) * 28 replies * 6 participants * Last reply from: [Mej de Castro](https://wordpress.org/support/users/mej/) * Last activity: [6 months, 1 week ago](https://wordpress.org/support/topic/arbitrary-code-execution/page/2/#post-18715008) * Status: resolved