Page Builder By Siteorigin
Monthly
Stored Cross-Site Scripting in the Page Builder by SiteOrigin WordPress plugin (all versions through 2.34.3) allows authenticated contributors to persist arbitrary JavaScript into post meta and execute it in any visitor's browser. The vulnerability bypasses WordPress's native content-filtering mechanisms because panels_data is stored as raw post meta rather than post content, placing it outside the scope of the unfiltered_html capability carve-out and the wp_kses fallback that would otherwise sanitize WP_Widget_Custom_HTML widget content. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (Contributor level) makes this a realistic threat on any multi-author or open-registration WordPress installation.
Stored Cross-Site Scripting in the Page Builder by SiteOrigin WordPress plugin (all versions through 2.34.3) allows authenticated contributors to persist arbitrary JavaScript into post meta and execute it in any visitor's browser. The vulnerability bypasses WordPress's native content-filtering mechanisms because panels_data is stored as raw post meta rather than post content, placing it outside the scope of the unfiltered_html capability carve-out and the wp_kses fallback that would otherwise sanitize WP_Widget_Custom_HTML widget content. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (Contributor level) makes this a realistic threat on any multi-author or open-registration WordPress installation.