Vulnerabilities and security researches forsiteorigin-panels siteorigin-panels
Direction: ascendingJun 07, 2024
Page Builder by SiteOrigin # CVE-2020-13642
- CVE, Research URL
- Home page URL
- Application
- Date
- May 28, 2020
- Research Description
- An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The action_builder_content function did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The panels_data $_POST variable allows for malicious JavaScript to be executed in the victim's browser.
- Affected versions
-
max 2.10.16.
- Status
-
vulnerable
Page Builder by SiteOrigin # CVE-2020-13643
- CVE, Research URL
- Home page URL
- Application
- Date
- May 28, 2020
- Research Description
- An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The live editor feature did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The live_editor_panels_data $_POST variable allows for malicious JavaScript to be executed in the victim's browser.
- Affected versions
-
max 2.10.16.
- Status
-
vulnerable
Page Builder by SiteOrigin # CVE-2024-2202
- CVE, Research URL
- Home page URL
- Application
- Date
- Mar 23, 2024
- Research Description
- The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the legacy Image widget in all versions up to, and including, 2.29.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 2.29.7.
- Status
-
vulnerable
Page Builder by SiteOrigin # CVE-2024-4361
- CVE, Research URL
- Home page URL
- Application
- Date
- May 21, 2024
- Research Description
- The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siteorigin_widget' shortcode in all versions up to, and including, 2.29.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 2.29.16.
- Status
-
vulnerable
Jan 14, 2025
Page Builder by SiteOrigin # CVE-2024-12240
- CVE, Research URL
- Home page URL
- Application
- Date
- Jan 14, 2025
- Research Description
- The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the row label parameter in all versions up to, and including, 2.31.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 2.31.1.
- Status
-
vulnerable
Mar 04, 2025
Page Builder by SiteOrigin # CVE-2025-1459
- CVE, Research URL
- Home page URL
- Application
- Date
- Mar 01, 2025
- Research Description
- The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Embedded Video(PB) widget in all versions up to, and including, 2.31.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 2.31.5.
- Status
-
vulnerable
Jun 13, 2026
Page Builder by SiteOrigin # CVE-2026-2448
- CVE, Research URL
- Home page URL
- Application
- Date
- Mar 03, 2026
- Research Description
- The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.5 via the locate_template() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
- Affected versions
-
max 2.34.0.
- Status
-
vulnerable
Jun 16, 2026
Page Builder by SiteOrigin # 1e41e28d73ee07988103bc82e084fa9675c16627
- CVE, Research URL
- Home page URL
- Application
- Date
- Dec 01, 2015
- Research Description
- Page Builder by SiteOrigin [siteorigin-panels] < 2.0.5 Page Builder by SiteOrigin < 2.0.5 - Reflected Cross-Site Scripting The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘siteorigin_panels_render_form()’ parameter in versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
- Affected versions
-
max 2.0.5.
- Status
-
vulnerable
Page Builder by SiteOrigin # f0c92465-96cb-4497-8f00-9bee6acce78a
- CVE, Research URL
- Home page URL
- Application
- Date
- -
- Research Description
- Page Builder by SiteOrigin [siteorigin-panels] < 2.0.5 Page Builder by SiteOrigin 2.0.3 - Reflected XSS The Page Builder by SiteOrigin WordPress plugin was affected by a Reflected XSS security vulnerability.
- Affected versions
-
max 2.0.5.
- Status
-
vulnerable
Page Builder by SiteOrigin # f4e959e62611c9a76b68d0a4b11d6107fcb3a280
- CVE, Research URL
- Home page URL
- Application
- Date
- Jan 12, 2015
- Research Description
- Page Builder by SiteOrigin [siteorigin-panels] < 2.0.5 WordPress Page Builder Plugin <= 2.0.3 - Reflected XSS Because of this vulnerability, the attackers can inject arbitrary web script or HTML. Update the plugin.
- Affected versions
-
max 2.0.5.
- Status
-
vulnerable
Page Builder by SiteOrigin # 395bd7567550e3d71b57b01706f58dd6fd4e328b
- CVE, Research URL
- Home page URL
- Application
- Date
- Jan 12, 2023
- Research Description
- Page Builder by SiteOrigin [siteorigin-panels] < 2.0.5 WordPress Page Builder by SiteOrigin Plugin <= 2.0.3 is vulnerable to Cross Site Scripting (XSS) Update the plugin. An unknown person discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Page Builder by SiteOrigin Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 2.0.5.
- Affected versions
-
max 2.0.5.
- Status
-
vulnerable
Jun 29, 2026
Page Builder by SiteOrigin # CVE-2026-13295
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 27, 2026
- Research Description
- The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via panels_data Parameter in all versions up to, and including, 2.34.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is possible because the nonce and edit_post capability checks enforced during save are both satisfied by Contributor-level users for their own posts, and the panels_data value is stored as post meta — outside the scope of WordPress's unfiltered_html carve-out — meaning no wp_kses fallback prevents the unsanitized WP_Widget_Custom_HTML content from being persisted and later rendered verbatim on the frontend.
- Affected versions
-
max 2.34.4.
- Status
-
vulnerable