Does SiteOrigin Widgets Bundle have any unpatched vulnerabilities?

No. All known vulnerabilities in SiteOrigin Widgets Bundle have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is SiteOrigin Widgets Bundle compatible with WordPress 6.9.4?

According to WordPress.org data, SiteOrigin Widgets Bundle 1.71.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is SiteOrigin Widgets Bundle compatible with PHP 7.0.0+?

SiteOrigin Widgets Bundle requires PHP 7.0.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is SiteOrigin Widgets Bundle updated?

SiteOrigin Widgets Bundle was last updated on Feb 13, 2026. Frequent updates are generally a positive security signal.

What is SiteOrigin Widgets Bundle's security score?

SiteOrigin Widgets Bundle has a WP-Safety security score of 95/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

SiteOrigin Widgets Bundle Security & Risk Analysis

wordpress.org/plugins/so-widgets-bundle

Essential elements for modern websites. Add buttons, sliders, heroes, maps, images, carousels, features, icons, more. Create dynamic pages easily.

400K active installs v1.71.0 PHP 7.0.0+ WP 4.2+ Updated Feb 13, 2026

blocksblogcontact-formsliderwidgets

A · Safe

CVEs total11

Unpatched0

Last CVEFeb 17, 2026

Plugin page Download

Safety Verdict

Is SiteOrigin Widgets Bundle Safe to Use in 2026?

Generally Safe

Score 95/100

SiteOrigin Widgets Bundle has a strong security track record. Known vulnerabilities have been patched promptly.

11 known CVEsLast CVE: Feb 17, 2026Updated 1mo ago

Risk Assessment

The "so-widgets-bundle" plugin v1.71.0 exhibits a mixed security posture with both encouraging signs and significant areas of concern. On the positive side, the plugin demonstrates good practices in its use of prepared statements for SQL queries (86%) and a high percentage of properly escaped output (81%). The presence of numerous capability checks (21) and nonce checks (14) also suggests an effort to secure its functionality. However, the presence of 10 AJAX handlers without authentication checks creates a substantial attack surface that could be exploited by unauthenticated users.

The static analysis also highlights a critical taint flow with unsanitized paths, indicating a potential for attackers to manipulate file operations or path-based operations within the plugin, leading to security vulnerabilities. The vulnerability history, while showing no currently unpatched CVEs, is concerning due to the total number of past vulnerabilities (11), with medium severity being the most common. The recurring types of vulnerabilities, including Missing Authorization, Cross-site Scripting, and PHP Remote File Inclusion, are particularly worrying as they point to systemic issues in how user input and access control are handled.

In conclusion, while the plugin has implemented some robust security mechanisms, the unprotected entry points, the critical taint flow, and the historical pattern of medium-severity vulnerabilities necessitate caution. The plugin's past suggests a tendency for vulnerabilities to arise in authentication and input sanitization, which are critical security domains. Further investigation into the critical taint flow and the implementation of authentication checks for all AJAX handlers is strongly recommended to mitigate potential risks.

Key Concerns

10 AJAX handlers without auth checks
Critical severity taint flow
11 historical medium severity CVEs
Unsanitized paths in taint flows
Vulnerability history includes RFI and XSS

Vulnerabilities

SiteOrigin Widgets Bundle Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

8 CVEs in 2024

2024

1 CVE in 2025

2025

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

Medium

11 total CVEs

CVE-2026-2127medium · 5.4Missing Authorization

SiteOrigin Widgets Bundle <= 1.70.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution

Feb 17, 2026 Patched in 1.71.0 (1d)

CVE-2025-5585medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SiteOrigin Widgets Bundle <= 1.68.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-url` DOM Element Attribute

Jun 24, 2025 Patched in 1.69.0 (1d)

CVE-2024-54268medium · 4.3Missing Authorization

SiteOrigin Widgets Bundle <= 1.64.0 - Missing Authorization

Dec 10, 2024 Patched in 1.64.1 (9d)

CVE-2024-5901medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SiteOrigin Widgets Bundle <= 1.62.2 - Authenticated (Contributor+) Stored Cross-Site Scripting in Image Grid widget

Jul 30, 2024 Patched in 1.62.3 (1d)

CVE-2024-5090medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SiteOrigin Widgets Bundle <= 1.61.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via SiteOrigin Blog Widget

Jun 10, 2024 Patched in 1.62.0 (1d)

CVE-2024-4362medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SiteOrigin Widgets Bundle <= 1.60.0 - - Authenticated (Contributor+) Stored Cross-Site Scripting via 'siteorigin_widget' Shortcode

May 21, 2024 Patched in 1.61.0 (1d)

CVE-2024-1723medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SiteOrigin Widgets Bundle <= 1.58.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 4, 2024 Patched in 1.58.8 (89d)

CVE-2024-1070medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SiteOrigin Widgets Bundle <= 1.58.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Feb 12, 2024 Patched in 1.58.3 (110d)

CVE-2024-1058medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SiteOrigin Widgets Bundle <= 1.58.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Feb 12, 2024 Patched in 1.58.4 (110d)

CVE-2024-0961medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SiteOrigin Widgets Bundle <= 1.58.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 29, 2024 Patched in 1.58.2 (8d)

CVE-2023-6295medium · 5.9Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

SiteOrigin Widgets Bundle < 1.51.0 - Authenticated (Admin+) Local File Inclusion

Nov 27, 2023 Patched in 1.51.0 (57d)

Code Analysis

Analyzed Mar 16, 2026

SiteOrigin Widgets Bundle Code Analysis

Dangerous Functions

Raw SQL Queries

6 prepared

Unescaped Output

212

893 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

TinyMCESelect2jQuery

SQL Query Safety

86% prepared7 total queries

Output Escaping

81% escaped1105 total outputs

Data Flows

6 unsanitized

Data Flow Analysis

11 flows6 with unsanitized paths

siteorigin_widget_preview_widget_action (base\inc\actions.php:6)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

10 unprotected

SiteOrigin Widgets Bundle Attack Surface

Entry Points23

Unprotected10

AJAX Handlers 21

authwp_ajax_siteorigin_widgets_get_iconsbase\base.php:68

authwp_ajax_so_widgets_links_get_titlebase\base.php:447

authwp_ajax_so_widgets_previewbase\inc\actions.php:72

authwp_ajax_so_widgets_search_postsbase\inc\actions.php:186

authwp_ajax_so_widgets_search_termsbase\inc\actions.php:268

authwp_ajax_sow_get_posts_countbase\inc\actions.php:281

authwp_ajax_so_widgets_image_searchbase\inc\actions.php:325

authwp_ajax_so_widgets_image_importbase\inc\actions.php:371

authwp_ajax_so_dismiss_widget_teaserbase\inc\actions.php:395

authwp_ajax_so_installer_dismissbase\inc\installer\inc\admin.php:7

authwp_ajax_siteorigin_installer_managebase\inc\installer\inc\admin.php:8

authwp_ajax_so_installer_statusbase\inc\installer\siteorigin-installer.php:25

authwp_ajax_so_widgets_block_migration_notice_consentcompat\block-editor\widget-block.php:30

authwp_ajax_elementor_editor_get_wp_widget_formcompat\elementor\elementor.php:22

authwp_ajax_sowb_vc_widget_render_formcompat\visual-composer\visual-composer.php:21

authwp_ajax_so_widgets_bundle_manageso-widgets-bundle.php:55

authwp_ajax_sow_get_javascript_variablesso-widgets-bundle.php:56

authwp_ajax_so_widgets_setting_formso-widgets-bundle.php:58

authwp_ajax_so_widgets_setting_saveso-widgets-bundle.php:59

authwp_ajax_sow_carousel_loadwidgets\post-carousel\post-carousel.php:141

noprivwp_ajax_sow_carousel_loadwidgets\post-carousel\post-carousel.php:142

Shortcodes 2

[siteorigin_widget] base\inc\shortcode.php:79

[slide_control] widgets\layout-slider\layout-slider.php:421

WordPress Hooks 118

actionwp_headbase\base.php:51

actionwp_footerbase\base.php:52

filtersiteorigin_panels_widgetsbase\base.php:218

actionsiteorigin_widgets_footer_admin_templatesbase\inc\fields\media.class.php:54

actioninitbase\inc\fields\siteorigin-widget-field-class-loader.class.php:131

filtermce_buttonsbase\inc\fields\tinymce.class.php:190

filterquicktags_settingsbase\inc\fields\tinymce.class.php:191

filtermce_external_pluginsbase\inc\fields\tinymce.class.php:212

filtermce_buttonsbase\inc\fields\tinymce.class.php:213

filtermce_external_pluginsbase\inc\fields\tinymce.class.php:226

filtermce_buttonsbase\inc\fields\tinymce.class.php:227

actionadmin_noticesbase\inc\installer\inc\admin.php:6

actionadmin_menubase\inc\installer\inc\admin.php:9

actionadmin_enqueue_scriptsbase\inc\installer\inc\admin.php:10

actionactivated_pluginbase\inc\installer\inc\admin.php:11

actiondeactivated_pluginbase\inc\installer\inc\admin.php:12

filtersiteorigin_premium_affiliate_idbase\inc\installer\siteorigin-installer.php:22

filterinitbase\inc\installer\siteorigin-installer.php:23

filtersiteorigin_add_installerbase\inc\installer\siteorigin-installer.php:24

actionadd_meta_boxesbase\inc\meta-box-manager.php:53

actionsave_postbase\inc\meta-box-manager.php:54

actionrest_api_initbase\inc\routes\sowb-rest-routes.php:14

actioninitbase\inc\shapes\shapes.php:7

actionplugins_loadedbase\inc\shortcode.php:82

filtersiteorigin_panels_cache_shortcodebase\inc\shortcode.php:97

actionwidgets_initbase\inc\widget-manager.class.php:16

actionwp_enqueue_scriptsbase\inc\widgets\base-carousel.class.php:39

actionwp_enqueue_scriptsbase\inc\widgets\base-slider.class.php:34

actionadmin_footerbase\siteorigin-widget.class.php:733

actionwpcompat\beaver-builder\beaver-builder.php:16

actionfl_builder_ui_enqueue_scriptscompat\beaver-builder\beaver-builder.php:25

actionwp_enqueue_scriptscompat\beaver-builder\beaver-builder.php:27

actionwp_print_footer_scriptscompat\beaver-builder\beaver-builder.php:29

filtersiteorigin_widgets_form_show_preview_buttoncompat\beaver-builder\beaver-builder.php:32

actionenqueue_block_assetscompat\block-editor\widget-block.php:28

filterblock_categories_allcompat\block-editor\widget-block.php:85

filtersiteorigin_widgets_is_previewcompat\block-editor\widget-block.php:715

actioninitcompat\compat.php:16

actionsiteorigin_widgets_stylesheet_deletedcompat\compat.php:32

actionsiteorigin_widgets_stylesheet_addedcompat\compat.php:33

actionsiteorigin_widgets_stylesheet_clearedcompat\compat.php:34

filtersiteorigin_widgets_slider_attrcompat\compat.php:43

filterwoocommerce_format_contentcompat\compat.php:55

filterwpo_purge_page_cache_on_activate_deactivate_plugincompat\compat.php:165

actiontemplate_redirectcompat\elementor\elementor.php:18

filtersiteorigin_widgets_is_previewcompat\elementor\elementor.php:20

actionelementor/editor/before_enqueue_scriptscompat\elementor\elementor.php:23

filterelementor/frontend/builder_content/before_print_csscompat\elementor\elementor.php:25

filterelementor/frontend/the_contentcompat\elementor\elementor.php:26

actionwp_enqueue_scriptscompat\elementor\elementor.php:37

actionelementor/preview/enqueue_stylescompat\elementor\elementor.php:38

actionwp_print_footer_scriptscompat\elementor\elementor.php:52

filtersiteorigin_widgets_form_show_preview_buttoncompat\elementor\elementor.php:127

filtersiteorigin_widgets_post_selector_post_type_permission_checkcompat\elementor\elementor.php:147

actionvc_after_initcompat\visual-composer\visual-composer.php:16

actionadmin_print_scripts-post-new.phpcompat\visual-composer\visual-composer.php:18

actionadmin_print_scripts-post.phpcompat\visual-composer\visual-composer.php:19

filtersiteorigin_widgets_form_show_preview_buttoncompat\visual-composer\visual-composer.php:23

filtercontent_save_precompat\visual-composer\visual-composer.php:25

filtersiteorigin_widgets_icons_elegantlineicons\elegantline\filter.php:107

filtersiteorigin_widgets_icons_fontawesomeicons\fontawesome\filter.php:1903

filtersiteorigin_widgets_icon_styles_fontawesomeicons\fontawesome\filter.php:1913

filtersiteorigin_widgets_icon_migrate_fontawesomeicons\fontawesome\filter.php:1953

filtersiteorigin_widgets_icons_genericonsicons\genericons\filter.php:131

filtersiteorigin_widgets_icons_icomoonicons\icomoon\filter.php:498

filtersiteorigin_widgets_icon_familiesicons\icons.php:34

filtersiteorigin_widgets_icons_ioniconsicons\ionicons\filter.php:740

filtersiteorigin_widgets_icon_styles_materialiconsicons\materialicons\filter.php:10

filtersiteorigin_widgets_icons_materialiconsicons\materialicons\filter.php:2292

filtersiteorigin_widgets_icons_typiconsicons\typicons\filter.php:343

actionadmin_initso-widgets-bundle.php:48

actionadmin_menuso-widgets-bundle.php:49

actionadmin_initso-widgets-bundle.php:50

actionadmin_enqueue_scriptsso-widgets-bundle.php:51

actionadmin_enqueue_scriptsso-widgets-bundle.php:52

actioninitso-widgets-bundle.php:62

actionafter_setup_themeso-widgets-bundle.php:63

actionafter_setup_themeso-widgets-bundle.php:64

actionadmin_initso-widgets-bundle.php:69

actionsiteorigin_widgets_version_updateso-widgets-bundle.php:70

actionswitch_themeso-widgets-bundle.php:73

actionactivated_pluginso-widgets-bundle.php:74

actionupgrader_process_completeso-widgets-bundle.php:75

filtersiteorigin_panels_dataso-widgets-bundle.php:78

filtersiteorigin_panels_prebuilt_layoutso-widgets-bundle.php:79

filtersiteorigin_panels_widget_objectso-widgets-bundle.php:80

filterwp_enqueue_scriptsso-widgets-bundle.php:82

filterwp_enqueue_scriptsso-widgets-bundle.php:83

filterautoptimize_filter_css_excludeso-widgets-bundle.php:87

actioninitso-widgets-bundle.php:1096

actionsiteorigin_widgets_enqueue_frontend_scripts_sow-accordionwidgets\accordion\accordion.php:41

actionwp_loadedwidgets\blog\blog.php:29

actionsiteorigin_widgets_enqueue_frontend_scripts_sow-blogwidgets\blog\blog.php:49

actionwp_enqueue_scriptswidgets\blog\blog.php:51

filtersiteorigin_widgets_blog_querywidgets\blog\blog.php:52

filterthe_content_more_linkwidgets\blog\blog.php:1467

filterexcerpt_lengthwidgets\blog\blog.php:1478

filterexcerpt_morewidgets\blog\blog.php:1479

filtersiteorigin_widgets_less_variables_sow-buttonwidgets\button-grid\button-grid.php:32

filtersiteorigin_widgets_template_variables_sow-buttonwidgets\button-grid\button-grid.php:33

actionsiteorigin_widgets_after_widget_sow-button-gridwidgets\button-grid\button-grid.php:35

filtersiteorigin_widgets_sanitize_field_multiple_emailswidgets\contact\contact.php:53

actionsiteorigin_widgets_enqueue_frontend_scripts_sow-contact-formwidgets\contact\contact.php:54

filtersiteorigin_widgets_contact_bodywidgets\contact\contact.php:56

filterinitwidgets\contact\contact.php:2104

filtersiteorigin_widgets_google_font_fields_sow-ctawidgets\cta\cta.php:57

filterwidget_textwidgets\editor\editor.php:100

filtersiteorigin_widgets_field_class_pathswidgets\google-map\google-map.php:25

actionsiteorigin_widgets_enqueue_frontend_scripts_sow-google-mapwidgets\google-map\google-map.php:26

actionsiteorigin_widgets_enqueue_frontend_scripts_sow-layout-sliderwidgets\layout-slider\layout-slider.php:32

filterupload_mimeswidgets\lottie-player\lottie-player.php:38

actioninitwidgets\post-carousel\post-carousel.php:17

actionwp_enqueue_scriptswidgets\post-carousel\post-carousel.php:188

actionenqueue_block_assetswidgets\post-carousel\post-carousel.php:189

actionwp_headwidgets\post-carousel\post-carousel.php:238

filtersiteorigin_widgets_block_exclude_widgetwidgets\recent-posts\recent-posts.php:28

actionwp_loadedwidgets\recent-posts\recent-posts.php:29

actionsiteorigin_widgets_enqueue_frontend_scripts_sow-tabswidgets\tabs\tabs.php:41

Maintenance & Trust

SiteOrigin Widgets Bundle Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 13, 2026

PHP min version7.0.0

Downloads46.6M

Community Trust

Rating98/100

Number of ratings134

Active installs400K

Alternatives

SiteOrigin Widgets Bundle Alternatives

Widget Logic

widget-logic

Widget Logic lets you control on which pages widgets appear using WP's conditional tags.

100K 2 CVEs

Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets

widget-options

0ddcemmihs4a843ekhaoofzosrunf4bl Widget Options gives you super powers to control your site’s sidebar widgets and all Gutenberg blocks on pages, posts …

100K 1 unpatched

JetFormBuilder — Dynamic Blocks Form Builder

jetformbuilder

Advanced form builder plugin for Gutenberg. Create forms from the ground up, customize the existing ones, and style them up – all in one editor.

90K 7 CVEs

Blog Designer Pack – Blog, Post Grid, Post Slider, Post Carousel, Category Post, News

blog-designer-pack

News & Blog plugin for post grid, post slider, post carousel, post filter, masonry, ticker & list category posts using shortcode, Elementor & Divi.

30K 3 CVEs

WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder

wdesignkit

3000+ Elementor Templates, Gutenberg Templates, Widgets Builder for Elementor, Gutenberg & Bricks, Cloud Workspace & Figma Files, 160+ Widgets Library

30K 3 CVEs

Developer Profile

SiteOrigin Widgets Bundle Developer Profile

Greg - SiteOrigin

10 plugins · 1.0M total installs

trust score

Avg Security Score

88/100

Avg Patch Time

320 days

View full developer profile

Detection Fingerprints

How We Detect SiteOrigin Widgets Bundle

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/so-widgets-bundle/base/inc/css//wp-content/plugins/so-widgets-bundle/base/inc/js//wp-content/plugins/so-widgets-bundle/icons//wp-content/plugins/so-widgets-bundle/widgets/button//wp-content/plugins/so-widgets-bundle/widgets/google-map//wp-content/plugins/so-widgets-bundle/widgets/image//wp-content/plugins/so-widgets-bundle/widgets/slider//wp-content/plugins/so-widgets-bundle/widgets/post-carousel/+1 more

Script Paths

/wp-content/plugins/so-widgets-bundle/base/js/admin-widgets.js/wp-content/plugins/so-widgets-bundle/base/js/siteorigin-widget-bundle.js/wp-content/plugins/so-widgets-bundle/base/js/admin.js/wp-content/plugins/so-widgets-bundle/base/js/editor.js/wp-content/plugins/so-widgets-bundle/icons/js/admin-icons.js

Version Parameters

so-widgets-bundle/base/inc/css/admin.css?ver=so-widgets-bundle/base/inc/js/admin-widgets.js?ver=so-widgets-bundle/base/js/siteorigin-widget-bundle.js?ver=so-widgets-bundle/base/js/admin.js?ver=so-widgets-bundle/base/js/editor.js?ver=so-widgets-bundle/icons/js/admin-icons.js?ver=

HTML / DOM Fingerprints

CSS Classes

so-widget-buttonso-widget-google-mapso-widget-imageso-widget-sliderso-widget-post-carouselso-widget-editorsiteorigin-widget-buttonsiteorigin-widget-google-map+4 more

Data Attributes

data-widget-iddata-widget-name

JS Globals

siteorigin_widget_bundle_stringssiteorigin_widgetsSiteOriginWidgets

REST Endpoints

/wp-json/siteorigin/widgets/v1/get_widget_fields

FAQ