In 2026, Wordfence disclosed a high severity vulnerability in the Page Builder by SiteOrigin WordPress plugin, which is installed on more than 500,000 sites running versions up to 2.33.5.
Page Builder by SiteOrigin WordPress vulnerability
The vulnerability is classified as an authenticated local file inclusion issue. It carries a CVSS severity score of 8.8, rated high, and is the third vulnerability reported in this plugin in 2026.
Exploitation requires a WordPress user account with Contributor-level permissions or higher. The flaw affects all plugin versions up to and including 2.33.5 and has been fixed in version 2.34.0. Site owners running affected versions should update to 2.34.0 or later to receive the patch.
Key details
- Plugin: Page Builder by SiteOrigin, a drag-and-drop page layout builder for WordPress.
- Installations: more than 500,000 active sites use the plugin.
- Vulnerability type: authenticated Contributor local file inclusion via the
locate_template()function. - Severity: CVSS score 8.8, categorized as high severity.
- Access required: any authenticated account with Contributor, Author, Editor, or Administrator permissions.
- Affected versions: all releases up to and including Page Builder by SiteOrigin 2.33.5.
- Patched version: Page Builder by SiteOrigin 2.34.0 includes a fix for the vulnerability.
- Discovery and disclosure: documented in a Wordfence advisory published in 2026.
Background context
Page Builder by SiteOrigin is a drag-and-drop layout tool for WordPress sites. It lets users create responsive, column-based page designs using standard WordPress widgets, supporting visual page building without code and working with many WordPress themes.
The reported issue requires authentication and cannot be triggered by anonymous visitors. A Contributor in WordPress can create and submit posts but cannot publish them. Any account with Contributor-level access or higher can attempt to exploit the flaw.
The vulnerability stems from insufficient validation in the plugin's locate_template() function, which is intended to load specific template files from the server. Missing restrictions in this function make it possible to include arbitrary files already present on the server.
According to the official Wordfence advisory, attackers can include and execute arbitrary files on the server. Any PHP code in those files can run when they are included, which can bypass access controls and expose sensitive data.
Source citations
- Wordfence advisory on the Page Builder by SiteOrigin 2.33.5 authenticated Contributor local file inclusion vulnerability.
- Search Engine Journal report by Roger Montti summarizing the Wordfence disclosure and patch information for Page Builder by SiteOrigin.
.svg)
.svg)
.svg)