{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5585", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-03T21:44:03.481Z", "datePublished": "2025-06-25T02:22:07.865Z", "dateUpdated": "2026-04-08T17:18:24.186Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:24.186Z"}, "affected": [{"vendor": "gpriday", "product": "SiteOrigin Widgets Bundle", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.68.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-url` DOM Element Attribute in all versions up to, and including, 1.68.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "SiteOrigin Widgets Bundle <= 1.68.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-url` DOM Element Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bb1b93ee-8641-4ddb-8b6b-2e9d30fe338d?source=cve"}, {"url": "https://plugins.svn.wordpress.org/so-widgets-bundle/tags/1.68.4/js/slider/jquery.slider.js"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Asaf Mozes"}], "timeline": [{"time": "2025-05-28T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-06-04T15:00:44.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-06-24T13:56:20.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-25T14:52:19.975422Z", "id": "CVE-2025-5585", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-25T15:02:33.343Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5585", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-25T14:52:19.975422Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-25T14:52:26.728Z"}}], "cna": {"title": "SiteOrigin Widgets Bundle <= 1.68.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-url` DOM Element Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Asaf Mozes"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "gpriday", "product": "SiteOrigin Widgets Bundle", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.68.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-28T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-06-04T15:00:44.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-06-24T13:56:20.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bb1b93ee-8641-4ddb-8b6b-2e9d30fe338d?source=cve"}, {"url": "https://plugins.svn.wordpress.org/so-widgets-bundle/tags/1.68.4/js/slider/jquery.slider.js"}], "descriptions": [{"lang": "en", "value": "The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-url` DOM Element Attribute in all versions up to, and including, 1.68.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:24.186Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5585", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:18:24.186Z", "dateReserved": "2025-06-03T21:44:03.481Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-25T02:22:07.865Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:siteorigin:siteorigin_widgets_bundle:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "E96375DB-E9E5-4FFA-8B1F-7153DC5DB8BA", "versionEndExcluding": "1.69.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-url` DOM Element Attribute in all versions up to, and including, 1.68.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento SiteOrigin Widgets Bundle para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s del atributo del elemento DOM `data-url` en todas las versiones hasta la 1.68.4 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-5585", "lastModified": "2025-07-08T14:54:51.113", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-06-25T03:15:27.853", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.svn.wordpress.org/so-widgets-bundle/tags/1.68.4/js/slider/jquery.slider.js"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bb1b93ee-8641-4ddb-8b6b-2e9d30fe338d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:28:32.411461+00:00", "value": {"mitigation_remediation": ["Upgrade to SiteOrigin Widgets Bundle 1.68.5 or later to eliminate the stored XSS flaw.", "If an upgrade cannot be performed immediately, revoke or limit Contributor and higher role permissions from users who can edit widget configurations, thereby removing the ability to inject the malicious attribute.", "Clean or sanitize existing widget data in the database to remove any injected data-url values and ensure that future input is properly escaped."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting that permits arbitrary script execution by authenticated Contributor-level users"}, "threat_synthesis": {"affected_systems": "WordPress sites running the SiteOrigin Widgets Bundle plugin with versions 1.68.4 or earlier. The plugin is installed by the SiteOrigin vendor and is distributed through the WordPress plugin repository.", "description_and_impact": "The vulnerability exists in the SiteOrigin Widgets Bundle plugin for WordPress and arises from the unsanitized use of the data-url DOM Element Attribute. An attacker who has Contributor, Editor, or higher access can embed custom JavaScript into pages. When any user loads the affected page, the injected script runs with that user\u2019s context, potentially hijacking sessions, stealing credentials, or redirecting traffic. The flaw is a classic Stored XSS (CWE\u201179) that allows persistent code execution across visits.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity. The EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, and the flaw is not listed in the CISA KEV catalog. The attacker must possess Contributor-level role or higher and be able to edit page content. The injection occurs via the data-url attribute, so achieving the attack requires both authenticated access and the ability to modify or create widget configurations. Once placed, the script will execute for all visitors of the affected page. "}}}}, "created": "2026-04-20T22:30:19.875058+00:00", "updated": "2026-04-20T22:30:19.875069+00:00", "vendors": []}