Page Builder by SiteOrigin WordPress Vulnerability Affects Up To 500k Sites

An advisory was printed a couple of high-severity vulnerability found within the Web page Builder by SiteOrigin WordPress plugin, which is put in on greater than 500,000 web sites. That is the third vulnerability found within the SiteOrigin Web page Builder in 2026. The vulnerability is rated 8.8 on the CVSS severity scale.

What The Plugin Does

Web page Builder by SiteOrigin is a drag-and-drop format builder for WordPress. It permits web site house owners to create responsive, column-based web page designs utilizing customary WordPress widgets. Customers can construct pages visually with out writing code.

As a result of it really works with most themes and doesn’t require coding data, it’s extensively used on enterprise and private web sites.

Requires Contributor-Stage Entry

The vulnerability requires authentication. An attacker will need to have Contributor-level entry or greater. A Contributor is likely one of the lowest WordPress person roles. Contributors can create and submit posts however can not publish them. This implies the vulnerability doesn’t require administrator entry, but it surely does require an account.

Native File Inclusion Vulnerability

The plugin is weak to Native File Inclusion in all variations as much as and together with 2.33.5.

Native File Inclusion means the plugin could be compelled to load information from the server with out correctly limiting which information are allowed.

The problem exists within the locate_template() operate.

What Went Improper

The plugin doesn’t correctly prohibit which information could be included by the locate_template() operate.

That operate ought to solely load accredited template information.

What Attackers Can Do

As a result of the restriction is lacking, an authenticated attacker may cause the plugin to incorporate arbitrary information that exist already on the server.

If an attacker can add a file to the server, they are able to power the plugin to incorporate that file and execute it as PHP code.

In line with the official Wordfence advisory:

“The Web page Builder by SiteOrigin plugin for WordPress is weak to Native File Inclusion in all variations as much as, and together with, 2.33.5 by way of the locate_template() operate. This makes it potential for authenticated attackers, with Contributor-level entry and above, to incorporate and execute arbitrary information on the server, permitting the execution of any PHP code in these information.

This can be utilized to bypass entry controls, receive delicate knowledge, or obtain code execution in circumstances the place photographs and different “protected” file sorts could be uploaded and included.”

Affected And Patched Variations

The vulnerability impacts Web page Builder by SiteOrigins plugin variations: 2.33.5 and earlier. The problem has been mounted in model 2.34.0.

Really useful Actions For Web site Homeowners

Web site house owners utilizing Web page Builder by SiteOrigin ought to replace to model 2.34.0 or newer. If updating will not be potential, disable the plugin till it may be up to date.

Featured Picture by Shutterstock/Jan phanomphrai