CVE-2026-2127
Received Received - Intake
Unauthorized Shortcode Execution in SiteOrigin Widgets Bundle Plugin

Publication date: 2026-02-18

Last updated on: 2026-02-18

Assigner: Wordfence

Description
The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized arbitrary shortcode execution in all versions up to, and including, 1.70.4. This is due to a missing capability check on the `siteorigin_widget_preview_widget_action()` function which is registered via the `wp_ajax_so_widgets_preview` AJAX action. The function only verifies a nonce (`widgets_action`) but does not check user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes by invoking the `SiteOrigin_Widget_Editor_Widget` via the preview endpoint. The required nonce is exposed on the public frontend when the Post Carousel widget is present on a page, embedded in the `data-ajax-url` HTML attribute.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2127
EUVD
EUVD-2026-8045
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
siteorigin widgets_bundle to 1.70.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the SiteOrigin Widgets Bundle WordPress plugin (up to version 1.70.4) allows authenticated users with Subscriber-level access or higher to execute arbitrary shortcodes without proper authorization.

This happens because the function `siteorigin_widget_preview_widget_action()`, which handles AJAX requests for widget previews, only verifies a security nonce but does not check the user's capabilities.

Since the required nonce is exposed publicly on pages containing the Post Carousel widget, attackers can invoke the Editor widget's preview endpoint to run arbitrary shortcodes, potentially leading to unauthorized content execution.

Impact Analysis

This vulnerability can allow an authenticated user with minimal privileges (Subscriber-level) to execute arbitrary shortcodes on the website.

Arbitrary shortcode execution can lead to unauthorized content injection, manipulation of site behavior, or exposure of sensitive information depending on the shortcodes available and their effects.

Because the vulnerability does not require administrative privileges, it increases the risk of privilege escalation and unauthorized actions within the WordPress site.

The CVSS base score of 5.4 reflects a medium severity impact with potential confidentiality and integrity impacts but no availability impact.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized arbitrary shortcode execution via the AJAX action `wp_ajax_so_widgets_preview` in the SiteOrigin Widgets Bundle plugin for WordPress (versions up to 1.70.4). Detection can focus on monitoring AJAX requests to the WordPress admin-ajax.php endpoint, specifically looking for requests to the action `so_widgets_preview` or `siteorigin_widget_preview_widget_action`.'}, {'type': 'paragraph', 'content': 'Since the exploit requires an authenticated user with Subscriber-level access or higher and a valid nonce exposed on the frontend when the Post Carousel widget is present, detection can include checking for unusual or unauthorized AJAX POST requests containing the `widgets_action` nonce parameter targeting the preview endpoint.'}, {'type': 'list_item', 'content': 'Use web server or application logs to search for POST requests to `wp-admin/admin-ajax.php` with the parameter `action=so_widgets_preview` or similar.'}, {'type': 'list_item', 'content': 'Inspect HTTP requests for the presence of the `widgets_action` nonce parameter in POST data.'}, {'type': 'list_item', 'content': 'Monitor authenticated user activity for unexpected AJAX calls invoking widget preview functionality.'}, {'type': 'paragraph', 'content': 'Example command to search Apache or Nginx logs for suspicious AJAX requests:'}, {'type': 'list_item', 'content': "grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'action=so_widgets_preview'"}, {'type': 'list_item', 'content': "grep 'admin-ajax.php' /var/log/nginx/access.log | grep 'action=so_widgets_preview'"}, {'type': 'paragraph', 'content': 'Additionally, monitoring WordPress user activity logs or using security plugins that log AJAX requests can help detect exploitation attempts.'}] [1]

Mitigation Strategies

To mitigate this vulnerability, immediate steps include:

  • Update the SiteOrigin Widgets Bundle plugin to a version later than 1.70.4 where the vulnerability is fixed by adding proper capability checks on the AJAX preview action.
  • If updating immediately is not possible, restrict access to the WordPress admin-ajax.php endpoint to trusted users only, for example by limiting access via firewall or web server rules.
  • Remove or disable the Post Carousel widget from public pages to prevent exposure of the required nonce in the frontend HTML.
  • Implement monitoring and alerting on suspicious AJAX requests targeting the widget preview endpoint.

The root cause is a missing capability check in the `siteorigin_widget_preview_widget_action()` function, which was addressed by introducing a centralized permission and nonce verification function that enforces user capability checks before processing AJAX requests.

Applying the official security patch or plugin update that includes these improvements is the recommended and most effective mitigation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2127. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart