Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
PR:L reflects mandatory Contributor auth; S:C because XSS executes cross-origin in victim browsers; UI:N defensible for stored XSS where no additional victim interaction beyond page load is required.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via panels_data Parameter in all versions up to, and including, 2.34.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is possible because the nonce and edit_post capability checks enforced during save are both satisfied by Contributor-level users for their own posts, and the panels_data value is stored as post meta - outside the scope of WordPress's unfiltered_html carve-out - meaning no wp_kses fallback prevents the unsanitized WP_Widget_Custom_HTML content from being persisted and later rendered verbatim on the frontend.
AnalysisAI
Stored Cross-Site Scripting in the Page Builder by SiteOrigin WordPress plugin (all versions through 2.34.3) allows authenticated contributors to persist arbitrary JavaScript into post meta and execute it in any visitor's browser. The vulnerability bypasses WordPress's native content-filtering mechanisms because panels_data is stored as raw post meta rather than post content, placing it outside the scope of the unfiltered_html capability carve-out and the wp_kses fallback that would otherwise sanitize WP_Widget_Custom_HTML widget content. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session at Contributor level or above - unauthenticated exploitation is not possible given PR:L in the confirmed CVSS vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 6.4 (Medium) reflects a network-reachable, low-complexity, low-privilege attack with changed scope (S:C) but only partial confidentiality and integrity impact (C:L/I:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or controls a Contributor-level WordPress account on a target site. They create or edit one of their own posts using the SiteOrigin Page Builder, embedding a JavaScript payload (e.g., a cookie-stealing script) inside a Custom HTML widget block, which is serialized into the panels_data POST parameter during save. … |
| Remediation | A fix commit has been landed in the plugin's SVN repository (changeset 3585987 at plugins.trac.wordpress.org); however, the exact patched release version number is not independently confirmed from the available reference data - administrators should update the plugin to the latest available version from the WordPress plugin directory and verify the installed version exceeds 2.34.3. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39955
GHSA-qq5h-jpgc-p42f