Page Builder by SiteOrigin Vulnerabilities Expose 1M WordPress Sites

Page Builder by SiteOrigin Vulnerabilities Expose 1M WordPress Sites article imageTwo vulnerabilities were reported in Page Builder by SiteOrigin, which is a very popular WordPress plugin installed on more than 1 million websites.

The security flaws are described as “Cross-Site Request Forgery to Reflected Cross-Site Scripting”. They could enable attackers to forge requests on behalf of the site admin to execute malicious code in the admin’s browser, say Wordfence Threat Intelligence team.

How can the Page Builder by SiteOrigin vulnerabilities be exploited?

In order to exploit the two vulnerabilities, an attacker would have to trick the site administrator to perform a specific action, such as clicking on a link or an attachment. The good news is that, after Wordfence contacted the plugin developer, a patch was quickly released.

Nonetheless, the vulnerabilities are considered high-risk as they can lead to a full site takeover, if remained unpatched. In order to avoid compromises, website admins are urged to patch the Page Builder plugin to the latest version, which currently is version 2.10.16.

More about Page Builder by SiteOrigin

This is a plugin designed to simplify page and post editing in WordPress. With it, users can create responsive, column-based content, with the help of widgets from WordPress and widgets from the SiteOrigin Widgets Bundle plugin.

In addition, the plugin also features a built-in live editor, which helps users update content and drag/drop widgets, and observe the changes in real time.

In conclusion, two high-risk security vulnerabilities were discovered in the Page Builder by SiteOrigin plugin that allowed attackers to forge requests on behalf of a site administrator. This could then lead to the execution of malicious code in the admin’s browser. Fortunately, the two flaws were addressed and patched in version Page Builder 2.10.16. The general recommendation is that users immediately update to the latest version of the plugin.

Full technical disclosure of the vulnerabilities is available.

Also read Critical Zero-Day in Elementor Pro Plugin Puts 1M WordPress Sites at Risk

Researched and created by:
Krum Popov
Passionate web entrepreneur, has been crafting web projects since 2007. In 2020, he founded HTH.Guide — a visionary platform dedicated to streamlining the search for the perfect web hosting solution. Read more...
Technically reviewed by:
Metodi Ivanov
Seasoned web development expert with 8+ years of experience, including specialized knowledge in hosting environments. His expertise guarantees that the content meets the highest standards in accuracy and aligns seamlessly with hosting technologies. Read more...

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree
At HTH.Guide, we offer transparent web hosting reviews, ensuring independence from external influences. Our evaluations are unbiased as we apply strict and consistent standards to all reviews.
While we may earn affiliate commissions from some of the companies featured, these commissions do not compromise the integrity of our reviews or influence our rankings.
The affiliate earnings contribute to covering account acquisition, testing expenses, maintenance, and development of our website and internal systems.
Trust HTH.Guide for reliable hosting insights and sincerity.