Description
The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-url` DOM Element Attribute in all versions up to, and including, 1.68.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-25
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that permits arbitrary script execution by authenticated Contributor-level users
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists in the SiteOrigin Widgets Bundle plugin for WordPress and arises from the unsanitized use of the data-url DOM Element Attribute. An attacker who has Contributor, Editor, or higher access can embed custom JavaScript into pages. When any user loads the affected page, the injected script runs with that user’s context, potentially hijacking sessions, stealing credentials, or redirecting traffic. The flaw is a classic Stored XSS (CWE‑79) that allows persistent code execution across visits.

Affected Systems

WordPress sites running the SiteOrigin Widgets Bundle plugin with versions 1.68.4 or earlier. The plugin is installed by the SiteOrigin vendor and is distributed through the WordPress plugin repository.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. The EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, and the flaw is not listed in the CISA KEV catalog. The attacker must possess Contributor-level role or higher and be able to edit page content. The injection occurs via the data-url attribute, so achieving the attack requires both authenticated access and the ability to modify or create widget configurations. Once placed, the script will execute for all visitors of the affected page.

Generated by OpenCVE AI on April 20, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to SiteOrigin Widgets Bundle 1.68.5 or later to eliminate the stored XSS flaw.
  • If an upgrade cannot be performed immediately, revoke or limit Contributor and higher role permissions from users who can edit widget configurations, thereby removing the ability to inject the malicious attribute.
  • Clean or sanitize existing widget data in the database to remove any injected data-url values and ensure that future input is properly escaped.

Generated by OpenCVE AI on April 20, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28611 The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-url` DOM Element Attribute in all versions up to, and including, 1.68.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 08 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Siteorigin
Siteorigin siteorigin Widgets Bundle
CPEs cpe:2.3:a:siteorigin:siteorigin_widgets_bundle:*:*:*:*:*:wordpress:*:*
Vendors & Products Siteorigin
Siteorigin siteorigin Widgets Bundle

Wed, 25 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Jun 2025 02:30:00 +0000

Type Values Removed Values Added
Description The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-url` DOM Element Attribute in all versions up to, and including, 1.68.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title SiteOrigin Widgets Bundle <= 1.68.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-url` DOM Element Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Siteorigin Siteorigin Widgets Bundle
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:18:24.186Z

Reserved: 2025-06-03T21:44:03.481Z

Link: CVE-2025-5585

cve-icon Vulnrichment

Updated: 2025-06-25T14:52:26.728Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-25T03:15:27.853

Modified: 2025-07-08T14:54:51.113

Link: CVE-2025-5585

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:30:19Z

Weaknesses