Livemesh SiteOrigin Widgets Security & Risk Analysis

wordpress.org/plugins/livemesh-siteorigin-widgets

A collection of premium quality widgets for use in any widgetized area or in SiteOrigin page builder. SiteOrigin Widgets Bundle is required.

20K active installs v3.9.2 PHP + WP 5.8+ Updated Nov 5, 2025
siteoriginsiteorigin-page-buildersiteorigin-widgetssiteorigin-widgets-bundlewidget
71
B · Generally Safe
CVEs total3
Unpatched1
Last CVEMay 26, 2026
Safety Verdict

Is Livemesh SiteOrigin Widgets Safe to Use in 2026?

Mostly Safe

Score 71/100

Livemesh SiteOrigin Widgets is generally safe to use. 3 past CVEs were resolved.

3 known CVEs 1 unpatched Last CVE: May 26, 2026Updated 8mo ago
Risk Assessment

The plugin "livemesh-siteorigin-widgets" v3.9.2 exhibits a mixed security posture. On the positive side, all SQL queries are properly prepared, and there are no detected dangerous functions or file operations, indicating a generally good approach to core security practices. However, a significant concern is the presence of one AJAX handler without any authentication checks, creating a direct, unprotected entry point for potential attackers. While taint analysis found no immediate vulnerabilities, the historical data reveals two previous CVEs, including a high-severity Cross-Site Scripting (XSS) vulnerability and a Missing Authorization issue. The fact that these have been patched is a good sign, but the pattern suggests that past vulnerabilities have been present and addressed, highlighting a need for continued vigilance and robust security practices.

Key Concerns

  • AJAX handler without auth checks
  • Output escaping only 58% proper
  • Total known CVEs (2)
  • High severity historical CVE (1)
  • Bundled Freemius v1.0 library
Vulnerabilities
3 published

Livemesh SiteOrigin Widgets Security Vulnerabilities

CVEs by Year

1 CVE in 2019
2019
1 CVE in 2025
2025
1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

High
1
Medium
2

3 total CVEs

CVE-2026-3896medium · 6.4Missing Authorization

Livemesh SiteOrigin Widgets <= 3.9.2 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

May 26, 2026Unpatched
CVE-2025-8780medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Livemesh SiteOrigin Widgets <= 3.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Hero Header and Pricing Table Widgets

Dec 12, 2025 Patched in 3.9.2 (1d)

Freemius SDK <= 2.2.3 - Missing Authorization to Arbitrary Options Update

Feb 25, 2019 Patched in 2.5.2 (1793d)
Code Analysis
Analyzed Mar 16, 2026

Livemesh SiteOrigin Widgets Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
1 prepared
Unescaped Output
137
190 escaped
Nonce Checks
2
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
1

Bundled Libraries

Freemius1.0

SQL Query Safety

100% prepared1 total queries

Output Escaping

58% escaped327 total outputs
Attack Surface
1 unprotected

Livemesh SiteOrigin Widgets Attack Surface

Entry Points1
Unprotected1

AJAX Handlers 1

authwp_ajax_lsow_admin_ajaxadmin\admin-ajax.php:29
WordPress Hooks 25
actionadmin_initadmin\admin-ajax.php:26
actionadmin_enqueue_scriptsadmin\admin-ajax.php:31
actionadmin_menuadmin\admin-init.php:40
actionadmin_enqueue_scriptsadmin\admin-init.php:43
actioncurrent_screenadmin\admin-init.php:45
actionload-plugins.phpadmin\admin-init.php:54
actionadmin_noticesadmin\admin-init.php:55
actionadmin_post_lsow_dismiss_noticeadmin\admin-init.php:56
actionadmin_noticesadmin\admin-init.php:65
actionadmin_noticesadmin\admin-init.php:66
filtersiteorigin_widgets_widget_foldersincludes\class-lsow-setup.php:9
filtersiteorigin_widgets_field_class_prefixesincludes\class-lsow-setup.php:10
filtersiteorigin_widgets_field_class_pathsincludes\class-lsow-setup.php:11
filtersiteorigin_panels_widget_dialog_tabsincludes\class-lsow-setup.php:12
filtersiteorigin_panels_widgetsincludes\class-lsow-setup.php:13
filtersiteorigin_panels_row_style_fieldsincludes\class-lsow-setup.php:14
filtersiteorigin_panels_row_style_attributesincludes\class-lsow-setup.php:15
filtersiteorigin_panels_css_objectincludes\class-lsow-setup.php:22
filtersiteorigin_widgets_default_activeincludes\class-lsow-setup.php:28
actionwp_enqueue_scriptsincludes\widgets\lsow-carousel-widget\lsow-carousel-widget.php:268
actionwp_enqueue_scriptsincludes\widgets\lsow-hero-image-widget\lsow-hero-image-widget.php:361
actionwp_headlivemesh-siteorigin-widgets.php:94
actioninitplugin.php:26
actionwp_enqueue_scriptsplugin.php:117
actionwp_enqueue_scriptsplugin.php:118
Maintenance & Trust

Livemesh SiteOrigin Widgets Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedNov 5, 2025
PHP min version
Downloads1.2M

Community Trust

Rating94/100
Number of ratings103
Active installs20K
Developer Profile

Livemesh SiteOrigin Widgets Developer Profile

livemesh

8 plugins · 80K total installs

59
trust score
Avg Security Score
72/100
Avg Patch Time
243 days
View full developer profile
Detection Fingerprints

How We Detect Livemesh SiteOrigin Widgets

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/livemesh-siteorigin-widgets/assets/css/lsow-frontend.css/wp-content/plugins/livemesh-siteorigin-widgets/assets/js/lsow-frontend.js/wp-content/plugins/livemesh-siteorigin-widgets/includes/widgets/premium/woo-products/css/style.css/wp-content/plugins/livemesh-siteorigin-widgets/includes/widgets/premium/woo-products/js/scripts.js/wp-content/plugins/livemesh-siteorigin-widgets/includes/widgets/premium/woo-products/css/frontend.css/wp-content/plugins/livemesh-siteorigin-widgets/includes/widgets/premium/woo-products/js/frontend.js/wp-content/plugins/livemesh-siteorigin-widgets/assets/css/lsow-admin.css/wp-content/plugins/livemesh-siteorigin-widgets/assets/js/lsow-admin.js+108 more
Script Paths
/wp-content/plugins/livemesh-siteorigin-widgets/assets/js/lsow-frontend.js/wp-content/plugins/livemesh-siteorigin-widgets/includes/widgets/premium/woo-products/js/scripts.js/wp-content/plugins/livemesh-siteorigin-widgets/includes/widgets/premium/woo-products/js/frontend.js/wp-content/plugins/livemesh-siteorigin-widgets/assets/js/lsow-admin.js/wp-content/plugins/livemesh-siteorigin-widgets/includes/widgets/premium/fancy-heading/js/scripts.js/wp-content/plugins/livemesh-siteorigin-widgets/includes/widgets/premium/fancy-heading/js/frontend.js+52 more
Version Parameters
livemesh-siteorigin-widgets/assets/css/lsow-frontend.css?ver=livemesh-siteorigin-widgets/assets/js/lsow-frontend.js?ver=livemesh-siteorigin-widgets/assets/css/lsow-admin.css?ver=livemesh-siteorigin-widgets/assets/js/lsow-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
lsow-feature-listlsow-post-gridlsow-post-carousellsow-pricing-tablelsow-pricing-table-altlsow-woo-productslsow-accordionslsow-tabs+19 more
HTML Comments
<!-- livemesh-so-widgets -->
Data Attributes
data-lsow-options
JS Globals
window.lsow_fslsow_admin_ajaxlsow_admin_nonce
FAQ

Frequently Asked Questions about Livemesh SiteOrigin Widgets