CVE-2025-8780 identifies a stored cross-site scripting vulnerability in the Livemesh SiteOrigin Widgets plugin for WordPress, specifically impacting the Hero Header and Pricing Table widgets. The root cause is improper neutralization of user input (CWE-79), where the plugin fails to adequately sanitize and escape user-supplied attributes before rendering them on web pages. This flaw allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently in the website’s content, it executes automatically whenever any user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 3.9.1 of the plugin. The CVSS 3.1 base score of 6.4 reflects a medium severity rating, with an attack vector of network, low attack complexity, requiring privileges (contributor or above), no user interaction, and a scope change indicating that the vulnerability can affect components beyond the initially vulnerable plugin. Although no public exploits are currently known, the presence of authenticated low-privilege attackers makes this a significant risk for multi-user WordPress environments. The vulnerability was published on December 13, 2025, and has been assigned CWE-79, highlighting the classic XSS issue of improper input validation and output encoding.

For European organizations, this vulnerability poses a moderate risk primarily to websites running WordPress with the Livemesh SiteOrigin Widgets plugin installed. The ability for low-privilege authenticated users to inject persistent scripts can lead to session hijacking, unauthorized actions, defacement, and potential lateral movement within the web application. This is particularly impactful for organizations with collaborative content management workflows involving contributors or editors. Confidentiality may be compromised through cookie theft or credential exposure, and integrity can be affected by unauthorized content modifications. Although availability is not directly impacted, reputational damage and loss of user trust can result from successful exploitation. Given the widespread use of WordPress across Europe, especially in small and medium enterprises, educational institutions, and public sector websites, the vulnerability could affect a broad range of targets. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities once disclosed.

1. Monitor for and apply security updates from Livemesh promptly once a patch addressing CVE-2025-8780 is released. 2. Until patched, restrict contributor-level access and above to trusted users only, minimizing the risk of malicious script injection. 3. Employ a Web Application Firewall (WAF) with rules to detect and block XSS payloads, particularly targeting the affected widgets. 4. Implement Content Security Policy (CSP) headers to restrict execution of unauthorized scripts on affected sites. 5. Conduct regular security audits and code reviews of custom widgets or plugins to ensure proper input sanitization and output encoding. 6. Educate content contributors about safe input practices and the risks of injecting untrusted content. 7. Consider disabling or replacing the vulnerable widgets if immediate patching is not feasible. 8. Monitor website logs and user activity for suspicious behavior indicative of exploitation attempts.