CVE-2026-2127
SiteOrigin Widgets Bundle <= 1.70.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 5.4EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —
Ciclo de vida
18 feb 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized arbitrary shortcode execution in all versions up to, and including, 1.70.4. This is due to a missing capability check on the `siteorigin_widget_preview_widget_action()` function which is registered via the `wp_ajax_so_widgets_preview` AJAX action. The function only verifies a nonce (`widgets_action`) but does not check user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes by invoking the `SiteOrigin_Widget_Editor_Widget` via the preview endpoint. The required nonce is exposed on the public frontend when the Post Carousel widget is present on a page, embedded in the `data-ajax-url` HTML attribute.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Productos afectados
gpriday · SiteOrigin Widgets Bundle¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://plugins.trac.wordpress.org/browser/so-widgets-bundle/tags/1.70.4/base/inc/actions.php#L6https://plugins.trac.wordpress.org/browser/so-widgets-bundle/tags/1.70.4/base/inc/actions.php#L75https://plugins.trac.wordpress.org/browser/so-widgets-bundle/tags/1.70.4/widgets/editor/editor.php#L120https://plugins.trac.wordpress.org/browser/so-widgets-bundle/tags/1.70.4/widgets/post-carousel/post-carousel.php#L590https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3460939%40so-widgets-bundle%2Ftrunk&old=3434183%40so-widgets-bundle%2Ftrunk&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/bf92c64b-ca76-4af7-a1e4-585a60b03153?source=cve