WordPress SiteOrigin Widgets Bundle Plugin Vulnerability Affects +600,000 Sites

SiteOrigin Widgets Bundle WordPress plugin with over 600,000 installations patched an authenticated stored cross-site scripting (XSS) vulnerability that could allow attackers to upload arbitrary files and expose site visitors to malicious scripts.

SiteOrigin Widgets Bundle Plugin

The SiteOrigins Widgets plugin, with +600,000 active installations, provides a way to easily add a multitude of widget functions like sliders, carousels, maps, change the way blog posts are displayed, and other useful webpage elements.

Stored Cross-Site Scripting Vulnerability

A Cross-Site Scripting (XSS) vulnerability is a flaw allows a hacker to inject (upload) malicious scripts. In WordPress plugins, these kinds of vulnerabilities arise from flaws in how data that’s input is not properly sanitized (filtered for untrusted data) and also from improperly securing output data (called escaping data).

This particular XSS vulnerability is called a Stored XSS because the attacker is able to inject the malicious code to the server.  According to the non-profit Open Worldwide Application Security Project (OWASP), the ability to launch an attack directly from the website makes it particularly concerning.

OWASP describes the stored XSS threat:

“This type of exploit, known as Stored XSS, is particularly insidious because the indirection caused by the data store makes it more difficult to identify the threat and increases the possibility that the attack will affect multiple users. “

In an XSS attack, where a script has successfully been injected, the attacker sends a harmful script to an unsuspecting site visitor. The user’s browser, because it trusts the website, executes the file. This can allow the attacker to access cookies, session tokens, and other sensitive website data.

Vulnerability Description

The vulnerability arose because of flaws in sanitizing inputs and escaping data.

The WordPress developer page for security explains sanitization:

“Sanitizing input is the process of securing/cleaning/filtering input data. Validation is preferred over sanitization because validation is more specific. But when “more specific” isn’t possible, sanitization is the next best thing.”

Escaping data in a WordPress plugin is a security function that filters out unwanted output.

Both of those functions needed improvement in the SiteOrigins Widgets Bundle plugin.

Wordfence described the vulnerability:

“The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the onclick parameter in all versions up to, and including, 1.58.3 due to insufficient input sanitization and output escaping.”

This vulnerability requires authentication before it can be executed, which means the attacker needs at least a contributor level access in order to be able to launch an attack.

Recommended action:

The vulnerability was assigned a medium CVSS severity level, scoring 6.4/10. Plugin users should consider updating to the latest version, which is version 1.58.5, although the vulnerability was patched in version 1.58.4.

Read the Wordfence vulnerability advisory:

SiteOrigin Widgets Bundle <= 1.58.3 – Authenticated (Contributor+) Stored Cross-Site Scripting