CVE-2026-2127
SiteOrigin Widgets Bundle <= 1.70.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.4EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
18 Feb 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized arbitrary shortcode execution in all versions up to, and including, 1.70.4. This is due to a missing capability check on the `siteorigin_widget_preview_widget_action()` function which is registered via the `wp_ajax_so_widgets_preview` AJAX action. The function only verifies a nonce (`widgets_action`) but does not check user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes by invoking the `SiteOrigin_Widget_Editor_Widget` via the preview endpoint. The required nonce is exposed on the public frontend when the Post Carousel widget is present on a page, embedded in the `data-ajax-url` HTML attribute.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Affected products
gpriday · SiteOrigin Widgets BundleWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://plugins.trac.wordpress.org/browser/so-widgets-bundle/tags/1.70.4/base/inc/actions.php#L6https://plugins.trac.wordpress.org/browser/so-widgets-bundle/tags/1.70.4/base/inc/actions.php#L75https://plugins.trac.wordpress.org/browser/so-widgets-bundle/tags/1.70.4/widgets/editor/editor.php#L120https://plugins.trac.wordpress.org/browser/so-widgets-bundle/tags/1.70.4/widgets/post-carousel/post-carousel.php#L590https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3460939%40so-widgets-bundle%2Ftrunk&old=3434183%40so-widgets-bundle%2Ftrunk&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/bf92c64b-ca76-4af7-a1e4-585a60b03153?source=cve