CVE-2026-3896

Vulnerability

The Livemesh SiteOrigin Widgets plugin for WordPress, version 3.9.2 and earlier, contains a Stored Cross-Site Scripting (XSS) vulnerability. The flaw resides in the lsow_admin_ajax AJAX action, specifically in the save_settings_callback function called from admin-ajax.php. The handler only verifies a nonce but does not check user capabilities [2]. As a result, any authenticated user — even a Subscriber — can modify plugin settings stored in the WordPress database and inject arbitrary JavaScript. The unsanitized values are later rendered both on the plugin settings page in wp-admin and on the frontend where widget settings are output [1][2].

Exploitation

An attacker needs a valid WordPress account with Subscriber-level or higher privileges. No further authorization is required. The attacker sends a POST request to wp-admin/admin-ajax.php with action=lsow_admin_ajax, func=lsow_save_settings, a valid nonce (obtainable from the settings page), and malicious payloads in the settings fields. The lsow_check_nonce() function verifies the nonce but does not enforce any capability check [2]. The plugin then saves the attacker's values without proper sanitization, making the payload persistent.

Impact

An authenticated attacker can inject arbitrary JavaScript that executes in the context of any administrator who visits the plugin settings page, or any user who visits a page displaying the affected widget. This can lead to session hijacking, credential theft, defacement, or further privilege escalation through admin-level actions. The attack does not require additional user interaction beyond normal browsing.

Mitigation

The vendor released version 3.9.3 on May 27, 2026, which adds a capability check (manage_options) to the AJAX handler, preventing low-privileged users from modifying plugin settings. Users should update to version 3.9.3 or later immediately. No other workarounds are available; upgrading the plugin is the only mitigation.