Skip to main content

Page Builder by SiteOrigin CVE-2026-13295

| EUVDEUVD-2026-39955 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-27 Wordfence GHSA-qq5h-jpgc-p42f
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.4 MEDIUM

PR:L reflects mandatory Contributor auth; S:C because XSS executes cross-origin in victim browsers; UI:N defensible for stored XSS where no additional victim interaction beyond page load is required.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 27, 2026 - 07:52 vuln.today
CVE Published
Jun 27, 2026 - 06:50 cve.org
MEDIUM 6.4

DescriptionCVE.org

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via panels_data Parameter in all versions up to, and including, 2.34.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is possible because the nonce and edit_post capability checks enforced during save are both satisfied by Contributor-level users for their own posts, and the panels_data value is stored as post meta - outside the scope of WordPress's unfiltered_html carve-out - meaning no wp_kses fallback prevents the unsanitized WP_Widget_Custom_HTML content from being persisted and later rendered verbatim on the frontend.

AnalysisAI

Stored Cross-Site Scripting in the Page Builder by SiteOrigin WordPress plugin (all versions through 2.34.3) allows authenticated contributors to persist arbitrary JavaScript into post meta and execute it in any visitor's browser. The vulnerability bypasses WordPress's native content-filtering mechanisms because panels_data is stored as raw post meta rather than post content, placing it outside the scope of the unfiltered_html capability carve-out and the wp_kses fallback that would otherwise sanitize WP_Widget_Custom_HTML widget content. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate as Contributor-level user
Delivery
Edit own post with SiteOrigin Page Builder
Exploit
Inject JavaScript into Custom HTML widget panels_data
Install
Submit save request (nonce and edit_post checks pass)
C2
Payload stored verbatim as post meta
Execute
Victim loads published page
Impact
Injected script executes in victim browser

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session at Contributor level or above - unauthenticated exploitation is not possible given PR:L in the confirmed CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 6.4 (Medium) reflects a network-reachable, low-complexity, low-privilege attack with changed scope (S:C) but only partial confidentiality and integrity impact (C:L/I:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or controls a Contributor-level WordPress account on a target site. They create or edit one of their own posts using the SiteOrigin Page Builder, embedding a JavaScript payload (e.g., a cookie-stealing script) inside a Custom HTML widget block, which is serialized into the panels_data POST parameter during save. …
Remediation A fix commit has been landed in the plugin's SVN repository (changeset 3585987 at plugins.trac.wordpress.org); however, the exact patched release version number is not independently confirmed from the available reference data - administrators should update the plugin to the latest available version from the WordPress plugin directory and verify the installed version exceeds 2.34.3. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13295 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy