SiteOrigin Widgets Bundle Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘siteorigin_widget’ Shortcode – CVE-2024-4362 | WordPress Plugin Vulnerability Report

Plugin Name: SiteOrigin Widgets Bundle

Key Information:

  • Software Type: Plugin
  • Software Slug: so-widgets-bundle
  • Software Status: Active
  • Software Author: gpriday
  • Software Downloads: 39,647,522
  • Active Installs: 600,000
  • Last Updated: May 21, 2024
  • Patched Versions: 1.61.0
  • Affected Versions: <= 1.60.0

Vulnerability Details:

  • Name: SiteOrigin Widgets Bundle <= 1.60.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'siteorigin_widget' Shortcode
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2024-4362
  • CVSS Score: 6.4 (Medium)
  • Publicly Published: May 21, 2024
  • Researcher: stealthcopter
  • Description: The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siteorigin_widget' shortcode in all versions up to, and including, 1.60.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Summary:

The SiteOrigin Widgets Bundle plugin for WordPress has a vulnerability in versions up to and including 1.60.0 that allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts via the plugin's 'siteorigin_widget' shortcode due to insufficient input sanitization and output escaping. This vulnerability has been patched in version 1.61.0.

Detailed Overview:

The vulnerability, discovered by security researcher stealthcopter, is a Stored Cross-Site Scripting (XSS) issue located in the 'siteorigin_widget' shortcode of the SiteOrigin Widgets Bundle plugin. Due to inadequate input validation and output escaping, authenticated users with contributor-level permissions or higher can inject malicious scripts that will execute whenever a user visits a compromised page. This could potentially lead to sensitive information disclosure, session hijacking, or unauthorized actions performed on behalf of the victim.

Advice for Users:

  1. Immediate Action: Update the SiteOrigin Widgets Bundle plugin to version 1.61.0 or later to resolve the vulnerability.
  2. Check for Signs of Vulnerability: Review your site's pages and posts for any suspicious or unauthorized content that may have been injected by an attacker.
  3. Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
  4. Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.

The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 1.61.0 or later to secure their WordPress installations.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/so-widgets-bundle

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/so-widgets-bundle/siteorigin-widgets-bundle-1600-authenticated-contributor-stored-cross-site-scripting-via-siteorigin-widget-shortcode

Detailed Report:

As a website owner, keeping your site secure and up-to-date is of utmost importance. However, even the most vigilant among us can fall victim to vulnerabilities in the plugins we rely on to enhance our site's functionality. A recent discovery by security researcher stealthcopter has brought to light a critical vulnerability in the widely-used SiteOrigin Widgets Bundle plugin for WordPress, potentially putting thousands of websites at risk.

The SiteOrigin Widgets Bundle Plugin

The SiteOrigin Widgets Bundle plugin is a popular WordPress plugin that provides a collection of powerful widgets to help users build responsive page layouts. It has been downloaded over 39 million times and is currently active on more than 600,000 websites. The plugin was last updated on May 21, 2024, and the vulnerability affects all versions up to and including 1.60.0.

The Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting

The vulnerability, identified as CVE-2024-4362, is a Stored Cross-Site Scripting (XSS) issue located in the 'siteorigin_widget' shortcode of the SiteOrigin Widgets Bundle plugin. Due to inadequate input validation and output escaping, authenticated users with contributor-level permissions or higher can inject malicious scripts that will execute whenever a user visits a compromised page.

Risks and Potential Impacts

This vulnerability could lead to sensitive information disclosure, session hijacking, or unauthorized actions performed on behalf of the victim. Attackers could potentially gain control over a website, deface pages, or even use the compromised site to distribute malware to unsuspecting visitors.

Remediating the Vulnerability

To protect your website from this vulnerability, it is crucial to update the SiteOrigin Widgets Bundle plugin to version 1.61.0 or later, which includes a patch for this issue. Additionally, review your site's pages and posts for any suspicious or unauthorized content that may have been injected by an attacker.

Previous Vulnerabilities

It is worth noting that the SiteOrigin Widgets Bundle plugin has had five previous vulnerabilities since November 2023. This underscores the importance of regularly updating your plugins and staying informed about potential security risks.

The Importance of Staying Vigilant

As a small business owner, it can be challenging to find the time and resources to stay on top of website security. However, the consequences of a compromised website can be devastating, leading to loss of customer trust, damage to your brand reputation, and potential legal liabilities.

To ensure the safety and integrity of your WordPress website, consider partnering with a reliable web development and security agency. They can help you monitor your site for vulnerabilities, perform regular updates, and implement best practices to keep your website secure. By proactively addressing security concerns, you can focus on running your business while knowing that your online presence is in good hands.

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

SiteOrigin Widgets Bundle Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘siteorigin_widget’ Shortcode – CVE-2024-4362 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment