CVE-2024-1070
The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the features attribute in all versions up to, and including, 1.58.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
We have discovered 34,442 live websites that are affected by CVE-2024-1070.
Affected Software
| Product |  So Widgets Bundle |
| Category | Wordpress Plugins |
| Vulnerable Domains | 34,442 live websites (40.01% of So Widgets Bundle install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 179 versions ( 78.51% of all versions) |
Details
- Published - Feb 20, 2024
- Updated - Aug 1, 2024
Credits
- Mdr001 (finder)
CVE References
CVE-2024-1070 usage by Country
 United States | 7,783 websites |
 Germany | 4,669 websites |
 France | 2,539 websites |
 Japan | 1,851 websites |
 GB | 1,594 websites |
 Netherlands | 1,468 websites |
 Poland | 1,419 websites |
 Russia | 1,325 websites |
 Italy | 993 websites |
 Spain | 842 websites |
CVE-2024-1070 usage by TLD
| .com | 12,207 websites |
| .de | 2,553 websites |
| .nl | 1,443 websites |
| .org | 1,380 websites |
| .co.uk | 1,180 websites |
| .pl | 1,133 websites |
| .ru | 1,076 websites |
| .fr | 990 websites |
| .it | 772 websites |
| .net | 734 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-1070
Top websites that are affected by CVE-2024-1070. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ****.***.tr |  Turkey | **,*** | |
| *************.com | United States | **,*** | |
| *****************.com | United States | **,*** | |
| ***********.com | United States | **,*** | |
| *********.org | United States | **,*** | |
| ******.org | United States | **,*** | |
| *********.com |  Indonesia | **,*** | |
| ****.**.th |  Thailand | **,*** | |
| ***.it | France | **,*** | |
| ***.org | United States | **,*** |
FAQ
A total of 34,442 websites have been identified as vulnerable to CVE-2024-1070, discovered through global website indexing conducted by WebTechSurvey.
So Widgets Bundle is susceptible to CVE-2024-1070 vulnerability.
So Widgets Bundle versions before, and including, 1.58.2 are vulnerable to CVE-2024-1070.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a8b6dafb-7b2f-4459-95bd-eb7e147a4466?source=cve
- https://plugins.trac.wordpress.org/browser/so-widgets-bundle/widgets/features/tpl/default.php#L26
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3031864%40so-widgets-bundle%2Ftrunk&old=3027675%40so-widgets-bundle%2Ftrunk&sfp_email=&sfph_mail=