Platform
wordpress
Component
siteorigin-panels
Fixed in
2.33.6
CVE-2026-2448 describes a Local File Inclusion (LFI) vulnerability discovered in the Page Builder by SiteOrigin plugin for WordPress. This vulnerability allows authenticated attackers, possessing Contributor-level access or higher, to include and execute arbitrary files on the server. The vulnerability impacts versions 0.0.0 through 2.33.5, and a patch is available in version 2.34.0.
The impact of this LFI vulnerability is significant. An attacker can leverage it to execute arbitrary PHP code on the server, effectively gaining control over the WordPress instance. This could involve bypassing access controls, stealing sensitive data stored within the WordPress environment (database credentials, user information, configuration files), or even installing malicious software. The ability to execute arbitrary code opens the door to a wide range of attacks, potentially compromising the entire website and its associated data. The vulnerability's reliance on authenticated access, while limiting the initial attack surface, still poses a substantial risk to sites with less stringent user permission management.
CVE-2026-2448 was publicly disclosed on 2026-03-03. While no public proof-of-concept (PoC) code has been widely reported, the nature of LFI vulnerabilities makes it likely that one will emerge. The EPSS score is likely to be medium, indicating a moderate probability of exploitation given the vulnerability's severity and the availability of WordPress. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Exploit Status
EPSS
0.10% (28% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-2448 is to immediately upgrade the Page Builder by SiteOrigin plugin to version 2.34.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting file upload permissions for users with Contributor access or higher. Implement strict input validation and sanitization on all user-supplied data to prevent malicious file paths from being injected. Web Application Firewalls (WAFs) can be configured to block requests containing suspicious file paths or patterns associated with LFI exploitation. Regularly review WordPress user roles and permissions to ensure least privilege access.
Update to version 2.34.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2448 is a Local File Inclusion vulnerability affecting the Page Builder by SiteOrigin WordPress plugin, allowing authenticated users to execute arbitrary PHP code.
You are affected if you are using Page Builder by SiteOrigin versions 0.0.0 through 2.33.5. Upgrade to 2.34.0 or later to resolve the issue.
Upgrade the Page Builder by SiteOrigin plugin to version 2.34.0 or later. Consider restricting file upload permissions as a temporary workaround.
While no active exploitation has been confirmed, the vulnerability's nature makes it likely that exploitation attempts will occur. Monitor security advisories.
Refer to the official Page Builder by SiteOrigin plugin documentation and WordPress security announcements for the latest advisory information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.