SiteOrigin Widgets Bundle Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-1723 | WordPress Plugin Vulnerability Report
Plugin Name: SiteOrigin Widgets Bundle
Key Information:
- Software Type: Plugin
- Software Slug: so-widgets-bundle
- Software Status: Active
- Software Author: gpriday
- Software Downloads: 38,486,908
- Active Installs: 600,000
- Last Updated: March 7, 2024
- Patched Versions: 1.58.8
- Affected Versions: <= 1.58.7
Vulnerability Details:
- Name: SiteOrigin Widgets Bundle <= 1.58.7
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-1723
- CVSS Score: 6.4
- Publicly Published: March 4, 2024
- Researcher: Wesley
- Description: The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to and including 1.58.7. This vulnerability arises from insufficient input sanitization and output escaping, allowing authenticated attackers with contributor access or higher to inject arbitrary web scripts into pages. These scripts can execute whenever a user accesses an infected page, potentially leading to unauthorized access or manipulation of user data. The affected parameters include but are not limited to $instance['fonts']['title_options']['tag'], $headline_tag, $sub_headline_tag, and $feature['icon'].
Summary:
The SiteOrigin Widgets Bundle for WordPress has been identified with a Stored Cross-Site Scripting vulnerability in versions up to and including 1.58.7. This critical security issue, which allows authenticated attackers to inject malicious scripts, has been resolved in the patched version 1.58.8.
Detailed Overview:
This vulnerability, discovered by researcher Wesley, poses a significant security threat as it enables attackers with at least contributor-level access to inject harmful scripts into web pages. Such actions can compromise website integrity and user data security, making it imperative for site administrators to address this vulnerability promptly. The potential for misuse underscores the necessity for stringent input validation and output encoding practices in plugin development.
Advice for Users:
- Immediate Action: Update to the patched version 1.58.8 without delay to mitigate the vulnerability.
- Check for Signs of Vulnerability: Regularly review website content and user roles to identify any unauthorized changes or additions that could indicate exploitation.
- Alternate Plugins: Consider exploring alternative plugins that provide similar functionalities, especially if they offer more robust security features or if updates are not feasible immediately.
- Stay Updated: Continuously monitor and update all WordPress plugins and themes to their latest versions to safeguard against known vulnerabilities.
Conclusion:
The rapid response in patching the vulnerability in the SiteOrigin Widgets Bundle illustrates the critical role of timely software updates in maintaining website security. To protect against potential exploits, users must ensure that their WordPress installations, including all plugins and themes, are kept up to date with the latest security patches.