CVE-2025-8780

Root

Cause

The Livemesh SiteOrigin Widgets plugin for WordPress, in versions up to and including 3.9.1, contains a stored cross-site scripting (XSS) vulnerability. The flaw resides in the plugin's Hero Header and Pricing Table widgets, where user-supplied attributes are insufficiently sanitized and output escaping is missing [1]. This allows malicious input to bypass filtering and be stored in the WordPress database.

Exploitation

Successful exploitation requires an authenticated attacker with at least contributor-level access. Such users can inject arbitrary JavaScript or HTML into widget attributes [1]. When a page containing the compromised widget is subsequently viewed by any user — including administrators or site visitors — the injected script executes within the context of the victim's browser session.

Impact

This stored XSS can lead to session hijacking, defacement, or theft of sensitive information such as cookies and authentication tokens. Because the attack persists without requiring further interaction from the victim, it poses a risk to any site that allows contributor-level users to edit pages while this plugin is active.

Status

As of May 18, 2026, the plugin has been temporarily closed on the WordPress.org repository pending a full review [1]. Users should remove or disable the plugin until a fixed version is released; no patched version is currently available.