Livemesh SiteOrigin Widgets, CVE-2026-3896
- CVE, Research URL
- Home page URL
- Application
- Published on
- May 27, 2026
- Research Description
- The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `lsow_admin_ajax` AJAX action in all versions up to, and including, 3.9.2 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not check user capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to modify plugin settings and inject malicious scripts that execute when administrators access the plugin settings page or when any user visits the frontend.
- Affected versions
-
max 3.9.2.
- Status
-
vulnerable