WP-Safety

Livemesh SiteOrigin Widgets Security & Risk Analysis

wordpress.org/plugins/livemesh-siteorigin-widgets

A collection of premium quality widgets for use in any widgetized area or in SiteOrigin page builder. SiteOrigin Widgets Bundle is required.

20K active installs v3.9.2 PHP + WP 5.8+ Updated Nov 5, 2025
siteoriginsiteorigin-page-buildersiteorigin-widgetssiteorigin-widgets-bundlewidget
96
A · Safe
CVEs total2
Unpatched0
Last CVEDec 12, 2025
Plugin page Download
Safety Verdict

Is Livemesh SiteOrigin Widgets Safe to Use in 2026?

Generally Safe

Score 96/100

Livemesh SiteOrigin Widgets has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Dec 12, 2025Updated 4mo ago
Risk Assessment

The plugin "livemesh-siteorigin-widgets" v3.9.2 exhibits a mixed security posture. On the positive side, all SQL queries are properly prepared, and there are no detected dangerous functions or file operations, indicating a generally good approach to core security practices. However, a significant concern is the presence of one AJAX handler without any authentication checks, creating a direct, unprotected entry point for potential attackers. While taint analysis found no immediate vulnerabilities, the historical data reveals two previous CVEs, including a high-severity Cross-Site Scripting (XSS) vulnerability and a Missing Authorization issue. The fact that these have been patched is a good sign, but the pattern suggests that past vulnerabilities have been present and addressed, highlighting a need for continued vigilance and robust security practices.

Key Concerns

  • AJAX handler without auth checks
  • Output escaping only 58% proper
  • Total known CVEs (2)
  • High severity historical CVE (1)
  • Bundled Freemius v1.0 library
Vulnerabilities
2

Livemesh SiteOrigin Widgets Security Vulnerabilities

CVEs by Year

1 CVE in 2019
2019
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
1

2 total CVEs

CVE-2025-8780medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Livemesh SiteOrigin Widgets <= 3.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Hero Header and Pricing Table Widgets

Dec 12, 2025 Patched in 3.9.2 (1d)
WF-3fda31fa-efc9-44b9-99ba-9e3e23aa2ee0-livemesh-siteorigin-widgetshigh · 8.8Missing Authorization

Freemius SDK <= 2.2.3 - Missing Authorization to Arbitrary Options Update

Feb 25, 2019 Patched in 2.5.2 (1793d)
Code Analysis
Analyzed Mar 16, 2026

Livemesh SiteOrigin Widgets Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
1 prepared
Unescaped Output
137
190 escaped
Nonce Checks
2
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
1

Bundled Libraries

Freemius1.0

SQL Query Safety

100% prepared1 total queries

Output Escaping

58% escaped327 total outputs
Attack Surface
1 unprotected

Livemesh SiteOrigin Widgets Attack Surface

Entry Points1
Unprotected1

AJAX Handlers 1

authwp_ajax_lsow_admin_ajaxadmin\admin-ajax.php:29
WordPress Hooks 25
actionadmin_initadmin\admin-ajax.php:26
actionadmin_enqueue_scriptsadmin\admin-ajax.php:31
actionadmin_menuadmin\admin-init.php:40
actionadmin_enqueue_scriptsadmin\admin-init.php:43
actioncurrent_screenadmin\admin-init.php:45
actionload-plugins.phpadmin\admin-init.php:54
actionadmin_noticesadmin\admin-init.php:55
actionadmin_post_lsow_dismiss_noticeadmin\admin-init.php:56
actionadmin_noticesadmin\admin-init.php:65
actionadmin_noticesadmin\admin-init.php:66
filtersiteorigin_widgets_widget_foldersincludes\class-lsow-setup.php:9
filtersiteorigin_widgets_field_class_prefixesincludes\class-lsow-setup.php:10
filtersiteorigin_widgets_field_class_pathsincludes\class-lsow-setup.php:11
filtersiteorigin_panels_widget_dialog_tabsincludes\class-lsow-setup.php:12
filtersiteorigin_panels_widgetsincludes\class-lsow-setup.php:13
filtersiteorigin_panels_row_style_fieldsincludes\class-lsow-setup.php:14
filtersiteorigin_panels_row_style_attributesincludes\class-lsow-setup.php:15
filtersiteorigin_panels_css_objectincludes\class-lsow-setup.php:22
filtersiteorigin_widgets_default_activeincludes\class-lsow-setup.php:28
actionwp_enqueue_scriptsincludes\widgets\lsow-carousel-widget\lsow-carousel-widget.php:268
actionwp_enqueue_scriptsincludes\widgets\lsow-hero-image-widget\lsow-hero-image-widget.php:361
actionwp_headlivemesh-siteorigin-widgets.php:94
actioninitplugin.php:26
actionwp_enqueue_scriptsplugin.php:117
actionwp_enqueue_scriptsplugin.php:118
Maintenance & Trust

Livemesh SiteOrigin Widgets Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedNov 5, 2025
PHP min version
Downloads1.2M

Community Trust

Rating94/100
Number of ratings103
Active installs20K
Alternatives

Livemesh SiteOrigin Widgets Alternatives

RA Widgets Bundle

RA Widgets Bundle

ra-widgets-bundle

A
85

A collection of widgets using the SiteOrigin Widgets API.

100 No CVEs
WP-Stateless – SiteOrigin Widgets Bundle Addon

WP-Stateless – SiteOrigin Widgets Bundle Addon

wp-stateless-siteorigin-widgets-bundle-addon

A
100

Provides compatibility between the SiteOrigin Widgets Bundle and the WP-Stateless plugins.

30 No CVEs
Ultimate Addons for SiteOrigin

Ultimate Addons for SiteOrigin

addon-so-widgets-bundle

A
85

An ultimate collection of addons for SiteOrigin. SiteOrigin Widgets Bundle is required.

7K No CVEs
Tabs Widget for Page Builder

Tabs Widget for Page Builder

tabs-widget-for-page-builder

A
85

Adds a "Tabs for Page Builder" widget, which can be used in Page Builder by SiteOrigin editor.

3K No CVEs
Zen Addons for SiteOrigin Page Builder

Zen Addons for SiteOrigin Page Builder

zen-addons-for-siteorigin-page-builder

A
85

Zen Addons is a collection of helpful widget extensions for SiteOrigin Page Builder. It's simple, flexible, and useful.

1K No CVEs
Developer Profile

Livemesh SiteOrigin Widgets Developer Profile

livemesh

8 plugins · 81K total installs

70
trust score
Avg Security Score
87/100
Avg Patch Time
229 days
View full developer profile
Detection Fingerprints

How We Detect Livemesh SiteOrigin Widgets

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/livemesh-siteorigin-widgets/assets/css/lsow-frontend.css/wp-content/plugins/livemesh-siteorigin-widgets/assets/js/lsow-frontend.js/wp-content/plugins/livemesh-siteorigin-widgets/includes/widgets/premium/woo-products/css/style.css/wp-content/plugins/livemesh-siteorigin-widgets/includes/widgets/premium/woo-products/js/scripts.js/wp-content/plugins/livemesh-siteorigin-widgets/includes/widgets/premium/woo-products/css/frontend.css/wp-content/plugins/livemesh-siteorigin-widgets/includes/widgets/premium/woo-products/js/frontend.js/wp-content/plugins/livemesh-siteorigin-widgets/assets/css/lsow-admin.css/wp-content/plugins/livemesh-siteorigin-widgets/assets/js/lsow-admin.js+108 more
Script Paths
/wp-content/plugins/livemesh-siteorigin-widgets/assets/js/lsow-frontend.js/wp-content/plugins/livemesh-siteorigin-widgets/includes/widgets/premium/woo-products/js/scripts.js/wp-content/plugins/livemesh-siteorigin-widgets/includes/widgets/premium/woo-products/js/frontend.js/wp-content/plugins/livemesh-siteorigin-widgets/assets/js/lsow-admin.js/wp-content/plugins/livemesh-siteorigin-widgets/includes/widgets/premium/fancy-heading/js/scripts.js/wp-content/plugins/livemesh-siteorigin-widgets/includes/widgets/premium/fancy-heading/js/frontend.js+52 more
Version Parameters
livemesh-siteorigin-widgets/assets/css/lsow-frontend.css?ver=livemesh-siteorigin-widgets/assets/js/lsow-frontend.js?ver=livemesh-siteorigin-widgets/assets/css/lsow-admin.css?ver=livemesh-siteorigin-widgets/assets/js/lsow-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
lsow-feature-listlsow-post-gridlsow-post-carousellsow-pricing-tablelsow-pricing-table-altlsow-woo-productslsow-accordionslsow-tabs+19 more
HTML Comments
<!-- livemesh-so-widgets -->
Data Attributes
data-lsow-options
JS Globals
window.lsow_fslsow_admin_ajaxlsow_admin_nonce
FAQ

Frequently Asked Questions about Livemesh SiteOrigin Widgets