Security Alert Summary
The SiteOrigin Widgets Bundle plugin for WordPress contains a privilege/authorization weakness that allows authenticated users with Subscriber-level access and above to execute arbitrary shortcodes via a preview AJAX endpoint. The issue is caused by a missing capability check in the preview handler while a nonce is present, and the required nonce can be exposed on the public frontend when the Post Carousel widget is used.
CVE Details
- CVE ID: CVE-2026-2127
- Affected plugin / component: SiteOrigin Widgets Bundle plugin for WordPress
- Affected versions: All versions up to, and including, 1.70.4
- Published: February 18, 2026 at 9:15:58 AM
- Last modified: February 18, 2026 at 9:15:58 AM
- CVSS v3.1: Base Score 5.4, MEDIUM —
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N - Authentication / privileges / user interaction: Requires an authenticated user. Privileges required: Low (authenticated user equivalent to Subscriber-level and above). User interaction: None.
- Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
- CWE / weakness: CWE-862 (Missing Authorization)
Technical Details
The vulnerability is due to a missing capability (authorization) check in the siteorigin_widget_preview_widget_action() function, which is registered on the wp_ajax_so_widgets_preview AJAX action. The function verifies a nonce named widgets_action but does not verify the caller’s capabilities. Because the preview endpoint can be invoked while the plugin instantiates the SiteOrigin_Widget_Editor_Widget, an authenticated user with Subscriber-level access or higher can use the preview endpoint to trigger arbitrary shortcode execution.
Additionally, the required nonce is exposed on the public frontend when the Post Carousel widget is present on a page: the nonce is embedded in a data-ajax-url HTML attribute, making it accessible to authenticated users who can view the page. The combination of an exposed nonce and the missing capability check enables execution of shortcodes via the preview mechanism.
How This Could Impact Your Website
Consider a site with multiple users: a site owner, internal staff who publish content, and external contractors or contributors with Subscriber or Contributor accounts. An authenticated contractor or contributor could invoke the preview endpoint and cause arbitrary shortcodes to run in the context of the previewed widget. Practical consequences include limited disclosure or modification of content produced by shortcodes and potential information disclosure tied to shortcode outputs.
Because the impact ratings are Low for confidentiality and integrity and None for availability, this issue does not imply full site takeover, but it does increase the risk of targeted misuse such as exposure of internal data returned by shortcodes or changes to rendered content.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially Contributor and Subscriber accounts that are not required.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior, including unexpected AJAX requests to preview endpoints.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/so-widgets-bundle/tags/1.70.4/base/inc/actions.php#L6
- https://plugins.trac.wordpress.org/browser/so-widgets-bundle/tags/1.70.4/base/inc/actions.php#L75
- https://plugins.trac.wordpress.org/browser/so-widgets-bundle/tags/1.70.4/widgets/editor/editor.php#L120
- https://plugins.trac.wordpress.org/browser/so-widgets-bundle/tags/1.70.4/widgets/post-carousel/post-carousel.php#L590
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3460939%40so-widgets-bundle%2Ftrunk&old=3434183%40so-widgets-bundle%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/bf92c64b-ca76-4af7-a1e4-585a60b03153?source=cve