Impact
The Page Builder by SiteOrigin plugin for WordPress allows authenticated users with Contributor‑level or higher privileges to store arbitrary JavaScript in the panels_data parameter. This data is saved as post meta outside the scope of WordPress’s unfiltered_html protection, meaning no automatic sanitization occurs. When the content is rendered on the front‑end it is output verbatim, exposing visitors to stored cross‑site scripting that can steal cookies, hijack sessions, exfiltrate data or redirect users to malicious sites. The flaw represents a textbook example of CWE‑79, improper handling of user input in web output.
Affected Systems
All WordPress installations that run the Page Builder by SiteOrigin plugin version 2.34.3 or earlier are affected. Every site that has this plugin installed and that allows any user with Contributor or higher permissions to create or edit pages is at risk.
Risk and Exploitability
The CVSS score of 6.4 indicates a medium severity vulnerability. No EPSS score is currently available, and the issue is not listed in CISA’s KEV catalog, suggesting no widespread exploitation yet. Attackers typically exfiltrate an exploit by accessing the admin interface, editing or creating a page and inserting malicious payloads into the panels_data field. Once stored, the payload is served to every visitor of the affected page, weakening all users who view it. Exploitation requires authenticated access, limiting the scope to sites where attackers can obtain at least Contributor privileges, but the impact spreads to all site visitors who load the compromised pages.
OpenCVE Enrichment