CVE-2026-2127

Name of the Vulnerable Software and Affected Versions SiteOrigin Widgets Bundle versions prior to 1.70.5

Description The SiteOrigin Widgets Bundle plugin for WordPress is susceptible to unauthorized arbitrary shortcode execution. This is caused by a missing capability check within the siteorigin widget preview widget action() function, which is registered through the wp ajax so widgets preview AJAX action. The function verifies a nonce (widgets action) but does not confirm user capabilities, allowing authenticated attackers with Subscriber-level access or higher to execute arbitrary shortcodes. The necessary nonce is exposed on the public frontend when the Post Carousel widget is present on a page, embedded within the data-ajax-url HTML attribute. Attackers can invoke the SiteOrigin Widget Editor Widget via the preview endpoint to exploit this issue.

Recommendations Update SiteOrigin Widgets Bundle to version 1.70.5 or later.