Skip to main content

Page Builder By Siteorigin

1 CVEs product

Monthly

CVE-2026-13295 MEDIUM This Month

Stored Cross-Site Scripting in the Page Builder by SiteOrigin WordPress plugin (all versions through 2.34.3) allows authenticated contributors to persist arbitrary JavaScript into post meta and execute it in any visitor's browser. The vulnerability bypasses WordPress's native content-filtering mechanisms because panels_data is stored as raw post meta rather than post content, placing it outside the scope of the unfiltered_html capability carve-out and the wp_kses fallback that would otherwise sanitize WP_Widget_Custom_HTML widget content. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (Contributor level) makes this a realistic threat on any multi-author or open-registration WordPress installation.

WordPress XSS Page Builder By Siteorigin
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Page Builder by SiteOrigin WordPress plugin (all versions through 2.34.3) allows authenticated contributors to persist arbitrary JavaScript into post meta and execute it in any visitor's browser. The vulnerability bypasses WordPress's native content-filtering mechanisms because panels_data is stored as raw post meta rather than post content, placing it outside the scope of the unfiltered_html capability carve-out and the wp_kses fallback that would otherwise sanitize WP_Widget_Custom_HTML widget content. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (Contributor level) makes this a realistic threat on any multi-author or open-registration WordPress installation.

WordPress XSS Page Builder By Siteorigin
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy