The SiteOrigin Widgets Bundle plugin for WordPress contains a stored cross-site scripting vulnerability (CWE-79) in its SiteOrigin Blog Widget component. This vulnerability is due to improper neutralization of input during web page generation, specifically insufficient input sanitization and output escaping of user-supplied attributes. Authenticated users with contributor-level privileges or higher can exploit this flaw to inject arbitrary JavaScript code into pages. The injected scripts execute in the context of any user viewing the affected page, potentially leading to session hijacking or other script-based attacks. The vulnerability affects all versions up to and including 1.61.1. The CVSS 3.1 score is 6.4 (medium severity), with an attack vector of network, low attack complexity, requiring privileges, no user interaction, and impacts confidentiality and integrity but not availability. No patch or vendor advisory is currently available, and no known exploits have been reported.

An authenticated attacker with contributor-level access or higher can inject persistent malicious scripts into pages via the SiteOrigin Blog Widget. These scripts execute in the browsers of users who visit the compromised pages, potentially allowing theft of sensitive information or unauthorized actions within the context of the affected site. The vulnerability impacts confidentiality and integrity but does not affect availability. There are no known active exploits in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict contributor-level access to trusted users only and consider disabling or removing the SiteOrigin Blog Widget if feasible. Monitor for updates from the plugin vendor or WordPress security channels to apply any forthcoming patches promptly.