CVE-2026-2127
Unauthorized Shortcode Execution in SiteOrigin Widgets Bundle Plugin
Publication date: 2026-02-18
Last updated on: 2026-02-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| siteorigin | widgets_bundle | to 1.70.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the SiteOrigin Widgets Bundle WordPress plugin (up to version 1.70.4) allows authenticated users with Subscriber-level access or higher to execute arbitrary shortcodes without proper authorization.
This happens because the function `siteorigin_widget_preview_widget_action()`, which handles AJAX requests for widget previews, only verifies a security nonce but does not check the user's capabilities.
Since the required nonce is exposed publicly on pages containing the Post Carousel widget, attackers can invoke the Editor widget's preview endpoint to run arbitrary shortcodes, potentially leading to unauthorized content execution.
How can this vulnerability impact me? :
This vulnerability can allow an authenticated user with minimal privileges (Subscriber-level) to execute arbitrary shortcodes on the website.
Arbitrary shortcode execution can lead to unauthorized content injection, manipulation of site behavior, or exposure of sensitive information depending on the shortcodes available and their effects.
Because the vulnerability does not require administrative privileges, it increases the risk of privilege escalation and unauthorized actions within the WordPress site.
The CVSS base score of 5.4 reflects a medium severity impact with potential confidentiality and integrity impacts but no availability impact.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized arbitrary shortcode execution via the AJAX action `wp_ajax_so_widgets_preview` in the SiteOrigin Widgets Bundle plugin for WordPress (versions up to 1.70.4). Detection can focus on monitoring AJAX requests to the WordPress admin-ajax.php endpoint, specifically looking for requests to the action `so_widgets_preview` or `siteorigin_widget_preview_widget_action`.'}, {'type': 'paragraph', 'content': 'Since the exploit requires an authenticated user with Subscriber-level access or higher and a valid nonce exposed on the frontend when the Post Carousel widget is present, detection can include checking for unusual or unauthorized AJAX POST requests containing the `widgets_action` nonce parameter targeting the preview endpoint.'}, {'type': 'list_item', 'content': 'Use web server or application logs to search for POST requests to `wp-admin/admin-ajax.php` with the parameter `action=so_widgets_preview` or similar.'}, {'type': 'list_item', 'content': 'Inspect HTTP requests for the presence of the `widgets_action` nonce parameter in POST data.'}, {'type': 'list_item', 'content': 'Monitor authenticated user activity for unexpected AJAX calls invoking widget preview functionality.'}, {'type': 'paragraph', 'content': 'Example command to search Apache or Nginx logs for suspicious AJAX requests:'}, {'type': 'list_item', 'content': "grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'action=so_widgets_preview'"}, {'type': 'list_item', 'content': "grep 'admin-ajax.php' /var/log/nginx/access.log | grep 'action=so_widgets_preview'"}, {'type': 'paragraph', 'content': 'Additionally, monitoring WordPress user activity logs or using security plugins that log AJAX requests can help detect exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediate steps include:
- Update the SiteOrigin Widgets Bundle plugin to a version later than 1.70.4 where the vulnerability is fixed by adding proper capability checks on the AJAX preview action.
- If updating immediately is not possible, restrict access to the WordPress admin-ajax.php endpoint to trusted users only, for example by limiting access via firewall or web server rules.
- Remove or disable the Post Carousel widget from public pages to prevent exposure of the required nonce in the frontend HTML.
- Implement monitoring and alerting on suspicious AJAX requests targeting the widget preview endpoint.
The root cause is a missing capability check in the `siteorigin_widget_preview_widget_action()` function, which was addressed by introducing a centralized permission and nonce verification function that enforces user capability checks before processing AJAX requests.
Applying the official security patch or plugin update that includes these improvements is the recommended and most effective mitigation.