Page Builder by SiteOrigin WordPress Vulnerability Affects Up To 500k Sites

An advisory was printed a couple of high-severity vulnerability found within the Web page Builder by SiteOrigin WordPress plugin, which is put in on greater than 500,000 web sites. That is the third vulnerability found within the SiteOrigin Web page Builder in 2026. The vulnerability is rated 8.8 on the CVSS severity scale.

What The Plugin Does

Web page Builder by SiteOrigin is a drag-and-drop structure builder for WordPress. It permits website homeowners to create responsive, column-based web page designs utilizing commonplace WordPress widgets. Customers can construct pages visually with out writing code.

As a result of it really works with most themes and doesn’t require coding data, it’s extensively used on enterprise and private web sites.

Requires Contributor-Stage Entry

The vulnerability requires authentication. An attacker should have Contributor-level entry or larger. A Contributor is among the lowest WordPress consumer roles. Contributors can create and submit posts however can’t publish them. This implies the vulnerability doesn’t require administrator entry, nevertheless it does require an account.

Native File Inclusion Vulnerability

The plugin is susceptible to Native File Inclusion in all variations as much as and together with 2.33.5.

Native File Inclusion means the plugin might be compelled to load information from the server with out correctly proscribing which information are allowed.

The problem exists within the locate_template() perform.

What Went Flawed

The plugin doesn’t correctly limit which information might be included by means of the locate_template() perform.

That perform ought to solely load permitted template information.

What Attackers Can Do

As a result of the restriction is lacking, an authenticated attacker could cause the plugin to incorporate arbitrary information that exist already on the server.

If an attacker can add a file to the server, they are able to pressure the plugin to incorporate that file and execute it as PHP code.

In accordance with the official Wordfence advisory:

“The Web page Builder by SiteOrigin plugin for WordPress is susceptible to Native File Inclusion in all variations as much as, and together with, 2.33.5 by way of the locate_template() perform. This makes it attainable for authenticated attackers, with Contributor-level entry and above, to incorporate and execute arbitrary information on the server, permitting the execution of any PHP code in these information.

This can be utilized to bypass entry controls, receive delicate knowledge, or obtain code execution in circumstances the place photographs and different “protected” file varieties might be uploaded and included.”

Affected And Patched Variations

The vulnerability impacts Web page Builder by SiteOrigins plugin variations: 2.33.5 and earlier. The problem has been mounted in model 2.34.0.

Advisable Actions For Web site Homeowners

Web site homeowners utilizing Web page Builder by SiteOrigin ought to replace to model 2.34.0 or newer. If updating shouldn’t be attainable, disable the plugin till it may be up to date.

Featured Picture by Shutterstock/Jan phanomphrai