CVE-2025-8780 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Livemesh SiteOrigin Widgets plugin for WordPress, specifically impacting the Hero Header and Pricing Table widgets in all versions up to and including 3.9.1. The root cause is insufficient sanitization and escaping of user-supplied input attributes, which allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the vulnerability is stored, the malicious script persists in the website's content and executes in the browsers of any users who visit the affected pages. This can lead to a range of attacks, including session hijacking, theft of cookies or credentials, defacement, or further exploitation of the victim's browser environment. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a network attack vector, low attack complexity, required privileges (contributor or higher), no user interaction, and a scope change due to the script executing in other users' browsers. No patches or fixes were listed at the time of publication, and no known exploits in the wild have been reported. The vulnerability is particularly concerning because contributor-level users are common in WordPress environments, and the plugin is widely used for building site content. The lack of output escaping and input validation in these widgets indicates a failure to follow secure coding practices for web applications, especially in handling HTML and JavaScript content. This vulnerability highlights the importance of strict input validation, output encoding, and the principle of least privilege in content management systems.

For European organizations, this vulnerability poses significant risks, especially for those relying on WordPress sites with the Livemesh SiteOrigin Widgets plugin. Exploitation can lead to unauthorized script execution in users' browsers, resulting in credential theft, session hijacking, and potential lateral movement within corporate networks. This can compromise sensitive data confidentiality and integrity, damage organizational reputation, and disrupt business operations. Given the medium CVSS score and the requirement for contributor-level access, insider threats or compromised accounts could be leveraged to exploit this vulnerability. The scope change means that the impact extends beyond the initial attacker to all users visiting the infected pages, increasing the potential damage. Organizations in sectors such as finance, government, and e-commerce, which often use WordPress for public-facing sites, are particularly at risk. Additionally, the absence of a patch at the time of disclosure means that organizations must rely on compensating controls, increasing operational complexity and risk exposure.

1. Monitor for and apply security updates from Livemesh promptly once a patch is released for this vulnerability. 2. Restrict contributor-level permissions strictly, ensuring only trusted users have such access to prevent malicious script injection. 3. Implement Web Application Firewalls (WAFs) with rules specifically designed to detect and block stored XSS payloads targeting the affected widgets. 4. Conduct regular security audits and code reviews of custom widgets or plugins to ensure proper input sanitization and output escaping. 5. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on web pages. 6. Educate content contributors about secure content practices and the risks of injecting untrusted HTML or scripts. 7. Use security plugins that scan for malicious code or changes in WordPress content to detect potential exploitation early. 8. Consider temporarily disabling or replacing the vulnerable widgets if immediate patching is not possible. 9. Monitor logs for unusual activity related to contributor accounts or unexpected content changes. 10. Backup website data regularly to enable quick restoration in case of compromise.