Stored Cross-Site Scripting in Livemesh SiteOrigin Widgets for WordPress
CVE-2026-3896

6.4MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
27 May 2026

What is CVE-2026-3896?

The Livemesh SiteOrigin Widgets plugin for WordPress contains a vulnerability allowing Stored Cross-Site Scripting through the lsow_admin_ajax AJAX action. This issue arises from missing authorization checks and inadequate input sanitization. Although the AJAX handler verifies a nonce, it fails to check user capabilities, enabling attackers with Subscriber-level access and higher to alter plugin settings and inject malicious scripts. These scripts can execute when administrators access the plugin settings page or when users visit the frontend, posing significant security risks.

Affected Version(s)

Livemesh SiteOrigin Widgets 0 <= 3.9.2

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Muhammad Yudha - DJ
.