Title: [Plugin: Widget Logic] Security hole?
Last modified: August 20, 2016

---

# [Plugin: Widget Logic] Security hole?

 *  [Bjørn Johansen](https://wordpress.org/support/users/bjornjohansen/)
 * (@bjornjohansen)
 * [14 years, 6 months ago](https://wordpress.org/support/topic/plugin-widget-logic-security-hole/)
 * The plugin sure does what is says, but I’m concerned about the security here.
 * As whatever a user enters as “widget logic”, gets eval()’ed by PHP, any user 
   with access to modifying widgets essentially could do whatever to to full installation.
   E.g. a user could enter [informaton removed- Mark] to delete everything you got
   on the host.
 * I couldn’t find it anywhere in the plugin code, but there sure should be a whitelist
   of functions allowed in code like this.
 * [http://wordpress.org/extend/plugins/widget-logic/](http://wordpress.org/extend/plugins/widget-logic/)

Viewing 3 replies - 1 through 3 (of 3 total)

 *  [Mark (podz)](https://wordpress.org/support/users/podz/)
 * (@podz)
 * [14 years, 6 months ago](https://wordpress.org/support/topic/plugin-widget-logic-security-hole/#post-2448705)
 * Could you send information to [plugins@wordpress.org](https://wordpress.org/support/topic/plugin-widget-logic-security-hole/plugins@wordpress.org?output_format=md)
   please?
    I will then pass this directly to the developer.
 * I edited your post to remove the code.
 *  [alanft](https://wordpress.org/support/users/alanft/)
 * (@alanft)
 * [14 years, 5 months ago](https://wordpress.org/support/topic/plugin-widget-logic-security-hole/#post-2449025)
 * Bjørn you are not the first person to note this, and actually I’m surprised it’s
   not in the “Other Notes” section of the documentation – I’m going to add that
   to my ‘to do’ list – as I’ve discussed the possible security issue on a few posts
   here. The consensus being that the quid pro quo of keeping anyone but widget 
   admins out of editing the code is a sufficient price for the power/simplicity
   of the main idea. it’s ‘with great power comes great responsibility’ of course
 * if anyone has some simple ‘function whitelist’ code they can point me at I’ll
   take a look.
 * when i first posted WL (years ago) I noted words to the effect that ‘for now’
   I’m using a simple eval, but might try something more sophisticated if people
   have a problem with the security implications of this.
 * Cheers – A
 *  [alanft](https://wordpress.org/support/users/alanft/)
 * (@alanft)
 * [14 years, 5 months ago](https://wordpress.org/support/topic/plugin-widget-logic-security-hole/#post-2449050)
 * what i said last time:
 * [http://wordpress.org/support/topic/widget-logic-security](http://wordpress.org/support/topic/widget-logic-security)
 * also i’ll be doing a new release soon and I’m going to add the warning back in
   and make it *specifically* check for current_user_can(‘edit_theme_options’)

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘[Plugin: Widget Logic] Security hole?’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/widget-logic_c8dde5.svg)
 * [Widget Logic](https://wordpress.org/plugins/widget-logic/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/widget-logic/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/widget-logic/)
 * [Active Topics](https://wordpress.org/support/plugin/widget-logic/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/widget-logic/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/widget-logic/reviews/)

 * 3 replies
 * 3 participants
 * Last reply from: [alanft](https://wordpress.org/support/users/alanft/)
 * Last activity: [14 years, 5 months ago](https://wordpress.org/support/topic/plugin-widget-logic-security-hole/#post-2449050)
 * Status: not resolved