Plattform
wordpress
Komponente
siteorigin-panels
Behoben in
2.33.6
CVE-2026-2448 describes a Local File Inclusion (LFI) vulnerability discovered in the Page Builder by SiteOrigin plugin for WordPress. This vulnerability allows authenticated attackers, possessing Contributor-level access or higher, to include and execute arbitrary files on the server. The vulnerability impacts versions 0.0.0 through 2.33.5, and a patch is available in version 2.34.0.
An attacker exploiting this LFI vulnerability can achieve remote code execution on the WordPress server. By leveraging the locate_template() function, a contributor-level user can include arbitrary PHP files, effectively bypassing access controls. This allows the attacker to execute malicious code, potentially leading to data theft, website defacement, or complete server compromise. The ability to upload images or other seemingly safe file types and then include them amplifies the attack surface, making exploitation relatively straightforward. This vulnerability shares similarities with other LFI exploits where attackers leverage file inclusion to gain unauthorized access and control.
CVE-2026-2448 was publicly disclosed on 2026-03-03. No public proof-of-concept (PoC) code has been identified at the time of writing, but the vulnerability's nature makes it likely that PoCs will emerge. The EPSS score is likely to be medium, given the relatively low complexity of exploitation once a file upload mechanism is available. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the Page Builder by SiteOrigin plugin, particularly those with multiple contributors or users with elevated privileges, are at risk. Shared hosting environments where users have limited control over server configuration are also particularly vulnerable, as they may be unable to implement effective mitigation strategies beyond plugin updates.
• wordpress / composer / npm:
wp plugin list | grep 'Page Builder by SiteOrigin'• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
grep -r 'locate_template(' /var/www/wordpress/wp-content/plugins/page-builder-siteorigin/*• generic web: Check WordPress plugin directory for updated version and security advisories.
disclosure
Exploit-Status
EPSS
0.10% (28% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-2448 is to immediately upgrade the Page Builder by SiteOrigin plugin to version 2.34.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting file upload permissions to prevent attackers from uploading malicious PHP files. Implement strict input validation and sanitization on any user-supplied data used in file paths. While a WAF might offer some protection, it's not a substitute for patching the vulnerable plugin. Regularly review WordPress plugin security and consider using a security scanner to identify potential vulnerabilities.
Aktualisieren Sie auf Version 2.34.0 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-2448 is a Local File Inclusion vulnerability affecting the Page Builder by SiteOrigin WordPress plugin, allowing authenticated users to execute arbitrary PHP code.
You are affected if you are using Page Builder by SiteOrigin versions 0.0.0 through 2.33.5. Upgrade to 2.34.0 or later to resolve the issue.
Upgrade the Page Builder by SiteOrigin plugin to version 2.34.0 or later. Consider restricting file upload permissions as a temporary workaround.
While no active exploitation has been confirmed, the vulnerability's nature makes it likely that exploitation attempts will occur. Monitor security advisories.
Refer to the official Page Builder by SiteOrigin plugin documentation and WordPress security announcements for the latest advisory information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.