CVE-2025-8780 is a stored cross-site scripting (XSS) vulnerability identified in the Livemesh SiteOrigin Widgets plugin for WordPress, specifically affecting the Hero Header and Pricing Table widgets in all versions up to and including 3.9.1. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), where user-supplied attributes are not adequately sanitized or escaped before being rendered on pages. This flaw enables authenticated attackers with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. Because the malicious scripts are stored persistently in the plugin's widget data, they execute every time any user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability requires no user interaction beyond visiting the infected page and does not require elevated privileges beyond contributor access, which is commonly granted to users who can submit content but not publish it. The CVSS v3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial impact on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, but the vulnerability poses a significant risk due to the widespread use of WordPress and the popularity of the Livemesh SiteOrigin Widgets plugin. The vulnerability was reserved in August 2025 and published in December 2025, with no patch links currently available, indicating that remediation may still be pending.

The impact of CVE-2025-8780 is primarily on the confidentiality and integrity of affected WordPress sites. Attackers with contributor-level access can inject persistent malicious scripts that execute in the browsers of site visitors, including administrators and other privileged users. This can lead to session hijacking, credential theft, unauthorized actions performed with victim user privileges, defacement, or distribution of malware. Since the vulnerability does not affect availability, denial of service is unlikely. However, the compromise of administrative sessions or content integrity can severely damage organizational reputation and trust. Given the widespread use of WordPress globally and the popularity of the Livemesh SiteOrigin Widgets plugin, many organizations, including blogs, small businesses, and enterprises using these widgets, are at risk. The requirement for contributor-level access means that attackers must first compromise or register an account with some privileges, which may be feasible in environments with weak user management or open registration. The cross-site scripting vulnerability also increases the attack surface for further exploitation, such as pivoting to more severe attacks or persistent backdoors.

Organizations should immediately audit and restrict contributor-level access to trusted users only, minimizing the risk of malicious script injection. Until an official patch is released, administrators can implement strict input validation and output encoding on widget attributes to prevent script injection. Employing Web Application Firewalls (WAFs) with rules targeting common XSS payloads can help detect and block exploitation attempts. Monitoring and scanning WordPress sites for injected scripts or anomalous widget content is critical to detect compromise early. Site owners should keep WordPress core, plugins, and themes updated and subscribe to vulnerability advisories for timely patching. Disabling or removing the Livemesh SiteOrigin Widgets plugin temporarily may be necessary if mitigation is not feasible. Additionally, implementing Content Security Policy (CSP) headers can reduce the impact of XSS by restricting script execution sources. Regular backups and incident response plans should be in place to recover from potential compromise.