The SiteOrigin Widgets Bundle plugin for WordPress contains a stored cross-site scripting vulnerability (CWE-79) identified as CVE-2024-1723. This flaw affects all versions up to and including 1.58.7 and allows authenticated users with contributor or higher roles to inject arbitrary JavaScript code through multiple widget parameters. The vulnerability is due to improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of parameters like $instance['fonts']['title_options']['tag'], $headline_tag, $sub_headline_tag, and $feature['icon']. When a user accesses a page containing the injected script, the malicious code executes in their browser context. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, required privileges, no user interaction, and partial impact on confidentiality and integrity without affecting availability. There is no vendor advisory or patch link available at this time, and no known exploits have been reported.

An attacker with contributor or higher privileges can inject persistent malicious scripts into pages via vulnerable parameters. This can lead to unauthorized script execution in the context of users viewing the compromised pages, potentially exposing sensitive information or enabling further attacks. The impact affects confidentiality and integrity but does not affect availability. Since the attacker must be authenticated with contributor-level access, the risk is limited to environments where such roles are assigned to potentially malicious users.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict contributor-level access to trusted users only. Consider implementing additional input validation or output escaping at the application or web server level as a temporary mitigation. Monitor for updates from the vendor regarding patches or official fixes.