CVE-2025-5585 MEDIUM

CVE-2025-5585: SiteOrigin Widgets Bundle <= 1.68.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-url` DOM Element Attribute

Vendor Gpriday

Product SiteOrigin Widgets Bundle

Weakness CWE-79 · XSS

Published June 25, 2025

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

6.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-url` DOM Element Attribute in all versions up to, and including, 1.68.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Explanation of Vulnerability in Simple Terms

02Summary

SiteOrigin Widgets Bundle versions up to 1.68.5 contain a stored cross-site scripting (XSS) vulnerability. An authenticated user with low privileges can inject malicious scripts into widget content that execute in the browsers of other site visitors. The vulnerability affects the scope beyond the vulnerable component, potentially compromising site security and user data.

What an attacker can do

03Attacker Capabilities

Inject malicious scripts that run in other users' browsers when they view affected widget content.

Potential impact on your site

04Site Impact

Malicious scripts can steal visitor data, deface content, or redirect users to phishing sites.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege authenticated account on the site.

Key dates

06Disclosure timeline

June 25, 2025 CVE published

April 8, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-5585 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities