Stored Cross-Site Scripting Vulnerability in Livemesh SiteOrigin Widgets for WordPress
CVE-2025-8780
6.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 13 December 2025
What is CVE-2025-8780?
The Livemesh SiteOrigin Widgets plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate sanitization and escaping of user-supplied input. Authenticated attackers with contributor-level access or higher can exploit this flaw in the Hero Header and Pricing Table widgets to inject malicious scripts. These scripts will be executed when users visit affected pages, potentially compromising user data and site integrity.
Affected Version(s)
Livemesh SiteOrigin Widgets * <= 3.9.1