CVE-2025-8780
Stored XSS in Livemesh SiteOrigin Widgets Plugin Allows Script Injection
Publication date: 2025-12-13
Last updated on: 2025-12-13
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| livemesh | siteorigin_widgets | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Livemesh SiteOrigin Widgets plugin for WordPress, specifically affecting the Hero Header and Pricing Table widgets in versions up to 3.9.1. It occurs because the plugin does not properly sanitize or escape user-supplied input, allowing authenticated users with contributor-level access or higher to inject malicious scripts into pages. These scripts then execute whenever any user views the affected page.
How can this vulnerability impact me? :
An attacker with contributor-level access or higher can exploit this vulnerability to inject malicious scripts into your website's pages. This can lead to unauthorized actions such as stealing user session data, defacing the website, or performing actions on behalf of other users without their consent. It compromises the integrity and security of your website and its users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your WordPress site is running the Livemesh SiteOrigin Widgets plugin version 3.9.1 or earlier, as these versions are vulnerable. You can look for suspicious stored scripts in pages using the Hero Header or Pricing Table widgets, especially if contributor-level users have edited content. There are no specific network commands provided in the resources, but you can inspect the HTML source of pages using these widgets for unexpected or malicious script tags. Additionally, reviewing plugin version via WordPress admin or using WP-CLI command `wp plugin list` to check the installed version of livemesh-siteorigin-widgets can help detect vulnerable versions. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Livemesh SiteOrigin Widgets plugin to version 3.9.2 or later, where the vulnerability has been fixed by improving input sanitization and output escaping in the Hero Header and Pricing Table widgets. This update includes changes such as using WordPress's wp_kses() and wp_kses_post() functions to whitelist allowed HTML tags and attributes, preventing malicious script injection. Until the update is applied, restrict contributor-level user permissions to prevent exploitation. [1, 4, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.