SiteOrigin Widgets Bundle Vulnerability- Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-0961 |WordPress Plugin Vulnerability Report
Plugin Name: SiteOrigin Widgets Bundle
Key Information:
- Software Type: Plugin
- Software Slug: so-widgets-bundle
- Software Status: Active
- Software Author: gpriday
- Software Downloads: 37,152,267
- Active Installs: 600,000
- Last Updated: February 1, 2024
- Patched Versions: 1.58.2
- Affected Versions: <= 1.58.1
Vulnerability Details:
- Name: SiteOrigin Widgets Bundle <= 1.58.1
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-0961
- CVSS Score: 6.4
- Publicly Published: January 29, 2024
- Researcher: Webbernaut
- Description: The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the code editor in all versions up to, and including, 1.58.1 due to insufficient input sanitization and output escaping. Authenticated attackers, with contributor access or higher, can inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Summary:
The SiteOrigin Widgets Bundle for WordPress has a vulnerability in versions up to and including 1.58.1 that allows authenticated attackers to inject malicious scripts. This vulnerability has been patched in version 1.58.2.
Detailed Overview:
The vulnerability was identified by the researcher Webbernaut and involves Stored Cross-Site Scripting (XSS) within the plugin's code editor. Due to inadequate input sanitization and output escaping, attackers with at least contributor privileges can embed harmful scripts into web pages. When these pages are accessed by any user, the embedded scripts execute, potentially leading to unauthorized access or other malicious activities. The quick identification and patching of this vulnerability highlight the critical nature of maintaining security in web components.
Advice for Users:
- Immediate Action: Update to version 1.58.2 immediately.
- Check for Signs of Vulnerability: Review your website's pages for unexpected or unfamiliar scripts or content.
- Alternate Plugins: Consider using alternative plugins with similar functionality as a precautionary measure until you're able to update.
- Stay Updated: Regularly update your plugins to the latest versions to mitigate vulnerabilities.
Conclusion:
The swift action by the developers of the SiteOrigin Widgets Bundle to release a patch for this vulnerability emphasizes the importance of keeping software updated. Users should ensure their installations are updated to version 1.58.2 or later to protect against this XSS vulnerability.