Which SiteOrigin Widgets Bundle CVEs are tracked?

SiteOrigin Widgets Bundle tracked CVEs include CVE-2025-5585, CVE-2024-5901, CVE-2024-5090, CVE-2024-4362, and CVE-2024-1723.

How many SiteOrigin Widgets Bundle vulnerabilities have patch guidance?

11 of 11 tracked SiteOrigin Widgets Bundle records include a published patch path.

Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 11 known issues Latest disclosed Feb 17, 2026

SiteOrigin Widgets Bundle Vulnerabilities

Review known vulnerability records for the WordPress plugin SiteOrigin Widgets Bundle (`so-widgets-bundle`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-2127, CVE-2025-5585 and CVE-2024-54268, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Feb 18, 2026

Priority CVE Quick Links

Fast paths into SiteOrigin Widgets Bundle CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2025-5585 Medium 1.69.0

CVE-2025-5585 SiteOrigin Widgets Bundle Stored Cross-Site Scripting

SiteOrigin Widgets Bundle <= 1.68.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-url` DOM Element Attribute

CVE-2024-5901 Medium 1.62.3

CVE-2024-5901 SiteOrigin Widgets Bundle Stored Cross-Site Scripting

SiteOrigin Widgets Bundle <= 1.62.2 - Authenticated (Contributor+) Stored Cross-Site Scripting in Image Grid widget

CVE-2024-5090 Medium 1.62.0

CVE-2024-5090 SiteOrigin Widgets Bundle Stored Cross-Site Scripting

SiteOrigin Widgets Bundle <= 1.61.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via SiteOrigin Blog Widget

CVE-2024-4362 Medium 1.61.0

CVE-2024-4362 SiteOrigin Widgets Bundle Stored Cross-Site Scripting

SiteOrigin Widgets Bundle <= 1.60.0 - - Authenticated (Contributor+) Stored Cross-Site Scripting via 'siteorigin_widget' Shortcode

CVE-2024-1723 Medium 1.58.8

CVE-2024-1723 SiteOrigin Widgets Bundle Stored Cross-Site Scripting

SiteOrigin Widgets Bundle <= 1.58.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2024-1058 Medium 1.58.4

CVE-2024-1058 SiteOrigin Widgets Bundle Stored Cross-Site Scripting

SiteOrigin Widgets Bundle <= 1.58.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2024-1070 Medium 1.58.3

CVE-2024-1070 SiteOrigin Widgets Bundle Stored Cross-Site Scripting

SiteOrigin Widgets Bundle <= 1.58.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2024-0961 Medium 1.58.2

CVE-2024-0961 SiteOrigin Widgets Bundle Stored Cross-Site Scripting

SiteOrigin Widgets Bundle <= 1.58.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for SiteOrigin Widgets Bundle so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

11 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

0 critical and 0 high severity findings.

Recent CVEs

CVE-2026-2127, CVE-2025-5585 and CVE-2024-54268

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-2127 Medium Patch path listed

CVE-2026-2127: SiteOrigin Widgets Bundle <= 1.70.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized arbitrary shortcode execution in all versions up to, and including, 1.70.4. This is due to a missing capabili...

Published

Feb 17, 2026

Patch Status

1.71.0

Open CVE-2026-2127 Report

CVE-2025-5585 Medium Patch path listed

CVE-2025-5585: SiteOrigin Widgets Bundle <= 1.68.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-url` DOM Element Attribute

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-url` DOM Element Attribute in all versions up to, and including, 1.68.4 due to i...

Published

Jun 24, 2025

Patch Status

1.69.0

Open CVE-2025-5585 Report

CVE-2024-54268 Medium Patch path listed

CVE-2024-54268: SiteOrigin Widgets Bundle <= 1.64.0 - Missing Authorization

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.64.0. This mak...

Published

Dec 10, 2024

Patch Status

1.64.1

Open CVE-2024-54268 Report

Known Vulnerabilities

Reports for SiteOrigin Widgets Bundle

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-2127

CVE-2026-2127: SiteOrigin Widgets Bundle <= 1.70.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized arbitrary shortcode execution in all versions up to, and including, 1.70.4. This is due to a missing capability check on the `siteorigin_widget_preview_widget_action()` function which is registered v...

Published

Feb 17, 2026

Patched Release

1.71.0

Affected Versions

Versions up to 1.70.4

Next Step

Update to 1.71.0 or newer if supported.

Open CVE-2026-2127 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-5585

CVE-2025-5585: SiteOrigin Widgets Bundle <= 1.68.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-url` DOM Element Attribute

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-url` DOM Element Attribute in all versions up to, and including, 1.68.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

Published

Jun 24, 2025

Patched Release

1.69.0

Affected Versions

Versions up to 1.68.5

Next Step

Update to 1.69.0 or newer if supported.

Open CVE-2025-5585 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-54268

CVE-2024-54268: SiteOrigin Widgets Bundle <= 1.64.0 - Missing Authorization

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.64.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to pe...

Published

Dec 10, 2024

Patched Release

1.64.1

Affected Versions

Versions up to 1.64.0

Next Step

Update to 1.64.1 or newer if supported.

Open CVE-2024-54268 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-5901

CVE-2024-5901: SiteOrigin Widgets Bundle <= 1.62.2 - Authenticated (Contributor+) Stored Cross-Site Scripting in Image Grid widget

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Grid widget in all versions up to, and including, 1.62.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible fo...

Published

Jul 30, 2024

Patched Release

1.62.3

Affected Versions

Versions up to 1.62.2

Next Step

Update to 1.62.3 or newer if supported.

Open CVE-2024-5901 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-5090

CVE-2024-5090: SiteOrigin Widgets Bundle <= 1.61.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via SiteOrigin Blog Widget

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's SiteOrigin Blog Widget in all versions up to, and including, 1.61.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes...

Published

Jun 10, 2024

Patched Release

1.62.0

Affected Versions

Versions up to 1.61.1

Next Step

Update to 1.62.0 or newer if supported.

Open CVE-2024-5090 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-4362

CVE-2024-4362: SiteOrigin Widgets Bundle <= 1.60.0 - - Authenticated (Contributor+) Stored Cross-Site Scripting via 'siteorigin_widget' Shortcode

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siteorigin_widget' shortcode in all versions up to, and including, 1.60.0 due to insufficient input sanitization and output escaping on user supplied attributes. This...

Published

May 21, 2024

Patched Release

1.61.0

Affected Versions

Versions up to 1.60.0

Next Step

Update to 1.61.0 or newer if supported.

Open CVE-2024-4362 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-1723

CVE-2024-1723: SiteOrigin Widgets Bundle <= 1.58.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 1.58.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

Published

Mar 04, 2024

Patched Release

1.58.8

Affected Versions

Versions up to 1.58.7

Next Step

Update to 1.58.8 or newer if supported.

Open CVE-2024-1723 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-1058

CVE-2024-1058: SiteOrigin Widgets Bundle <= 1.58.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the onclick parameter in all versions up to, and including, 1.58.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers wi...

Published

Feb 12, 2024

Patched Release

1.58.4

Affected Versions

Versions up to 1.58.3

Next Step

Update to 1.58.4 or newer if supported.

Open CVE-2024-1058 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-1070

CVE-2024-1070: SiteOrigin Widgets Bundle <= 1.58.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the features attribute in all versions up to, and including, 1.58.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

Published

Feb 12, 2024

Patched Release

1.58.3

Affected Versions

Versions up to 1.58.2

Next Step

Update to 1.58.3 or newer if supported.

Open CVE-2024-1070 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-0961

CVE-2024-0961: SiteOrigin Widgets Bundle <= 1.58.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the code editor in all versions up to, and including, 1.58.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with co...

Published

Jan 29, 2024

Patched Release

1.58.2

Affected Versions

Versions up to 1.58.1

Next Step

Update to 1.58.2 or newer if supported.

Open CVE-2024-0961 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-6295

CVE-2023-6295: SiteOrigin Widgets Bundle < 1.51.0 - Authenticated (Admin+) Local File Inclusion

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.50.1. This makes it possible for authenticated attackers, with administrator-level access and above, to include and execute arbitrary files on the serv...

Published

Nov 27, 2023

Patched Release

1.51.0

Affected Versions

Versions up to 1.50.1

Next Step

Update to 1.51.0 or newer if supported.

Open CVE-2023-6295 Report Open CVE Reference