– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-2127:
The SiteOrigin Widgets Bundle plugin for WordPress versions up to 1.70.4 contains a missing capability check vulnerability. This flaw allows authenticated users with Subscriber-level permissions or higher to execute arbitrary shortcodes via the widget preview AJAX endpoint. The vulnerability stems from insufficient authorization in the `siteorigin_widget_preview_widget_action()` function, which only validates a nonce but does not verify user capabilities.

Atomic Edge research identifies the root cause in the `siteorigin_widget_preview_widget_action()` function located in `so-widgets-bundle/base/inc/actions.php`. The function, registered via the `wp_ajax_so_widgets_preview` AJAX action, performed a nonce check using `$_REQUEST[‘_widgets_nonce’]` but lacked any call to `current_user_can()`. The required nonce for this endpoint is exposed on public pages containing the Post Carousel widget, embedded within a `data-ajax-url` HTML attribute. This exposure enables attackers to obtain a valid nonce without administrative access.

The exploitation method involves an authenticated attacker with Subscriber privileges sending a POST request to `/wp-admin/admin-ajax.php` with the action parameter set to `so_widgets_preview`. The attacker must include the `_widgets_nonce` parameter, which they can extract from a public page containing the Post Carousel widget. The `class` POST parameter must specify `SiteOrigin_Widget_Editor_Widget`, and the `data` parameter contains the shortcode payload to execute. The plugin then renders the widget preview, executing the embedded shortcode with the permissions of the plugin’s AJAX handler.

The patch introduces a new `siteorigin_verify_request_permissions()` function in `so-widgets-bundle/base/base.php`. This centralized function validates both the nonce and user capability. The vulnerable `siteorigin_widget_preview_widget_action()` function now calls `siteorigin_verify_request_permissions()` without arguments, defaulting to the `edit_posts` capability requirement. The patch also updates all other AJAX handlers in the plugin to use this function, ensuring consistent authorization checks across the codebase. The function terminates execution with a 403 error if either check fails.

Successful exploitation allows attackers to execute arbitrary shortcodes. This can lead to privilege escalation, data exfiltration, or remote code execution depending on available shortcodes. Attackers could embed shortcodes that query sensitive data, modify site content, or invoke other vulnerable plugins. The vulnerability requires an authenticated user account, but the low Subscriber-level permission makes this easily attainable on sites with open registration or compromised credentials.