Urgent: Authenticated Contributor Stored XSS in Livemesh SiteOrigin Widgets (≤ 3.9.1) — What You Need to Know and How to Protect Your WordPress Site

Date: 13 Dec 2025
CVE: CVE-2025-8780
Severity: CVSS 6.5 (Moderate)
Affected plugin: Livemesh SiteOrigin Widgets ≤ 3.9.1
Fixed in: 3.9.2
Required privilege to exploit: Contributor (authenticated)

From a Hong Kong security expert perspective: this is a pragmatic, prioritised advisory intended for administrators, developers and incident responders who operate WordPress in production. The vulnerability described below enables a contributor-level account to persist JavaScript in widget configuration, which can execute when viewed by administrators, editors or public visitors. Read and act immediately.

Executive summary (quick action items)

• Update Livemesh SiteOrigin Widgets to 3.9.2 (or later) immediately — this release contains the fix.
• If you cannot update immediately: remove or disable the affected widgets (Hero Header and Pricing Table), remove contributor editing rights for untrusted users, or apply generic WAF/virtual patch rules to block obvious payloads.
• Search your site for suspicious script tags in widget options, posts, and options tables; scan for signs of compromise (new admin accounts, modified theme files, unexpected scheduled tasks, or outbound network requests).
• If you find evidence of exploitation: isolate the site, rotate credentials and keys, remove malicious content, run full malware scans, and restore from a clean backup if necessary.

What is the vulnerability?

This is a stored cross-site scripting (XSS) vulnerability (CVE-2025-8780) in Livemesh SiteOrigin Widgets versions up to and including 3.9.1. Certain widget inputs — specifically the Hero Header and Pricing Table widgets — accepted HTML that was not correctly sanitized or escaped when rendered. A user with Contributor privileges could store JavaScript (for example,