Description
The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized arbitrary shortcode execution in all versions up to, and including, 1.70.4. This is due to a missing capability check on the `siteorigin_widget_preview_widget_action()` function which is registered via the `wp_ajax_so_widgets_preview` AJAX action. The function only verifies a nonce (`widgets_action`) but does not check user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes by invoking the `SiteOrigin_Widget_Editor_Widget` via the preview endpoint. The required nonce is exposed on the public frontend when the Post Carousel widget is present on a page, embedded in the `data-ajax-url` HTML attribute.
Published: 2026-02-18
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Shortcode Execution by Authenticated Users
Action: Apply Patch
AI Analysis

Impact

The SiteOrigin Widgets Bundle plugin for WordPress allows any authenticated user with Subscriber role or higher to invoke an AJAX endpoint that renders arbitrary shortcodes. The lack of a capability check means that by simply calling the preview action, an attacker can supply any shortcode content and have it executed on the site’s frontend. This flaw is categorized as CWE‑862 (Missing Authorization). The ability to run arbitrary shortcodes can lead to content manipulation, disclosure of sensitive information embedded in shortcodes, or even execution of malicious PHP code if the attacker crafts a shortcode that triggers such behavior, thereby compromising site integrity and availability.

Affected Systems

The vulnerability affects all releases of the SiteOrigin Widgets Bundle plugin up to and including version 1.70.4. The plugin is published by gpriday and is widely used within WordPress installations that enable the Post Carousel widget or any widget that registers Ajax actions.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity level. The EPSS score of less than 1% suggests that the probability of an active exploitation is very low at the time of this assessment. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers must be authenticated as a Subscriber or higher, so the attack surface is limited to legitimate user accounts. Once the preview endpoint is accessed, the boundary condition between the site and the attacker is the rendering of arbitrary shortcodes, with no requirement for additional exploits. Therefore, while the risk is moderate and exploitation likelihood is low, the impact to site integrity could be significant if an attacker can inject malicious shortcodes.

Generated by OpenCVE AI on April 15, 2026 at 17:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SiteOrigin Widgets Bundle to the latest release that includes the missing capability check for the preview AJAX action.
  • If an immediate upgrade is not possible, restrict access to the wp_ajax_so_widgets_preview endpoint by adding a capability check that allows only users with higher permissions (e.g., Editor or Administrator).
  • Disable the Post Carousel widget or remove the widget from pages that are publicly accessible to eliminate exposure of the required nonce to unauthenticated visitors.

Generated by OpenCVE AI on April 15, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Gpriday
Gpriday siteorigin Widgets Bundle
Wordpress
Wordpress wordpress
Vendors & Products Gpriday
Gpriday siteorigin Widgets Bundle
Wordpress
Wordpress wordpress

Wed, 18 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 08:30:00 +0000

Type Values Removed Values Added
Description The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized arbitrary shortcode execution in all versions up to, and including, 1.70.4. This is due to a missing capability check on the `siteorigin_widget_preview_widget_action()` function which is registered via the `wp_ajax_so_widgets_preview` AJAX action. The function only verifies a nonce (`widgets_action`) but does not check user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes by invoking the `SiteOrigin_Widget_Editor_Widget` via the preview endpoint. The required nonce is exposed on the public frontend when the Post Carousel widget is present on a page, embedded in the `data-ajax-url` HTML attribute.
Title SiteOrigin Widgets Bundle <= 1.70.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Gpriday Siteorigin Widgets Bundle
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:19:28.822Z

Reserved: 2026-02-06T19:20:41.302Z

Link: CVE-2026-2127

cve-icon Vulnrichment

Updated: 2026-02-18T12:24:55.752Z

cve-icon NVD

Status : Deferred

Published: 2026-02-18T09:15:58.817

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2127

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:30:10Z

Weaknesses