Stored Cross-Site Scripting in Livemesh SiteOrigin Widgets for WordPress
CVE-2026-3896
6.4MEDIUM
What is CVE-2026-3896?
The Livemesh SiteOrigin Widgets plugin for WordPress contains a vulnerability allowing Stored Cross-Site Scripting through the lsow_admin_ajax AJAX action. This issue arises from missing authorization checks and inadequate input sanitization. Although the AJAX handler verifies a nonce, it fails to check user capabilities, enabling attackers with Subscriber-level access and higher to alter plugin settings and inject malicious scripts. These scripts can execute when administrators access the plugin settings page or when users visit the frontend, posing significant security risks.
Affected Version(s)
Livemesh SiteOrigin Widgets 0 <= 3.9.2