Unauthorized Shortcode Execution in SiteOrigin Widgets Bundle Plugin for WordPress
CVE-2026-2127

5.4MEDIUM

Key Information:

Vendor

WordPress
Status
Siteorigin Widgets Bundle
Vendor
CVE Published:
18 February 2026

What is CVE-2026-2127?

The SiteOrigin Widgets Bundle plugin for WordPress has a security flaw that allows authenticated attackers to execute arbitrary shortcodes. This is due to insufficient checks in the siteorigin_widget_preview_widget_action() function. Although the function verifies a nonce for requests, it neglects to validate the user's capabilities. As a result, a user with Subscriber-level access or higher can exploit the vulnerability by invoking the SiteOrigin_Widget_Editor_Widget through the preview endpoint. Furthermore, the nonce used in this process is publicly accessible, posing additional risks when the Post Carousel widget is present on the site.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

SiteOrigin Widgets Bundle * <= 1.70.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/so-widgets-bun...
https://plugins.trac.wordpress.org/browser/so-widgets-bun...

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Nguyen Ba Hung
JSON
.