Description
The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via panels_data Parameter in all versions up to, and including, 2.34.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is possible because the nonce and edit_post capability checks enforced during save are both satisfied by Contributor-level users for their own posts, and the panels_data value is stored as post meta — outside the scope of WordPress's unfiltered_html carve-out — meaning no wp_kses fallback prevents the unsanitized WP_Widget_Custom_HTML content from being persisted and later rendered verbatim on the frontend.
Published: 2026-06-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Page Builder by SiteOrigin plugin for WordPress allows authenticated users with Contributor‑level or higher privileges to store arbitrary JavaScript in the panels_data parameter. This data is saved as post meta outside the scope of WordPress’s unfiltered_html protection, meaning no automatic sanitization occurs. When the content is rendered on the front‑end it is output verbatim, exposing visitors to stored cross‑site scripting that can steal cookies, hijack sessions, exfiltrate data or redirect users to malicious sites. The flaw represents a textbook example of CWE‑79, improper handling of user input in web output.

Affected Systems

All WordPress installations that run the Page Builder by SiteOrigin plugin version 2.34.3 or earlier are affected. Every site that has this plugin installed and that allows any user with Contributor or higher permissions to create or edit pages is at risk.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium severity vulnerability. No EPSS score is currently available, and the issue is not listed in CISA’s KEV catalog, suggesting no widespread exploitation yet. Attackers typically exfiltrate an exploit by accessing the admin interface, editing or creating a page and inserting malicious payloads into the panels_data field. Once stored, the payload is served to every visitor of the affected page, weakening all users who view it. Exploitation requires authenticated access, limiting the scope to sites where attackers can obtain at least Contributor privileges, but the impact spreads to all site visitors who load the compromised pages.

Generated by OpenCVE AI on June 27, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or restrict the use of the custom HTML widget for Contributor users until a mitigated version is available
  • Manually review and remove any JavaScript or suspicious content from the panels_data meta field in existing posts or widgets
  • Implement server‑side filtering on the panels_data parameter using wp_kses or a custom sanitizer to strip disallowed tags before storage

Generated by OpenCVE AI on June 27, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 27 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Gpriday
Gpriday page Builder By Siteorigin
Wordpress
Wordpress wordpress
Vendors & Products Gpriday
Gpriday page Builder By Siteorigin
Wordpress
Wordpress wordpress

Sat, 27 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Description The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via panels_data Parameter in all versions up to, and including, 2.34.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is possible because the nonce and edit_post capability checks enforced during save are both satisfied by Contributor-level users for their own posts, and the panels_data value is stored as post meta — outside the scope of WordPress's unfiltered_html carve-out — meaning no wp_kses fallback prevents the unsanitized WP_Widget_Custom_HTML content from being persisted and later rendered verbatim on the frontend.
Title Page Builder by SiteOrigin <= 2.34.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via panels_data Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

Gpriday Page Builder By Siteorigin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-29T12:21:54.024Z

Reserved: 2026-06-24T22:08:37.541Z

Link: CVE-2026-13295

cve-icon Vulnrichment

Updated: 2026-06-29T12:21:48.398Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T12:15:08Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')