PatchSiren cyber security CVE debrief
CVE-2026-13295 gpriday CVE debrief
The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via panels_data Parameter in all versions up to, and including, 2.34.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability exists because the nonce and edit_post capability checks enforced during save are both satisfied by Contributor-level users for their own posts, and the panels_data value is stored as post meta — outside the scope of WordPress's unfiltered_html carve-out — meaning no wp_kses fallback prevents the unsanitized WP_Widget_Custom_HTML content from being persisted and later rendered verbatim on the frontend. The CVSS score for this vulnerability is 6.4, indicating a Medium severity. The vulnerability was published on June 27, 2026, and modified on June 29, 2026.
- Vendor
- gpriday
- Product
- Page Builder by SiteOrigin
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-27
- Original CVE updated
- 2026-06-29
- Advisory published
- 2026-06-27
- Advisory updated
- 2026-06-29
Who should care
Administrators and users of the Page Builder by SiteOrigin plugin for WordPress should be aware of this vulnerability, especially those with Contributor-level access and above. This vulnerability could allow attackers to inject malicious scripts, potentially leading to security breaches. Users with access to the plugin's administrative interface should take immediate action to mitigate this vulnerability.
Technical summary
The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the panels_data parameter in all versions up to and including 2.34.3. The vulnerability arises from insufficient input sanitization and output escaping. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which will execute when a user accesses the injected page. The vulnerability is facilitated by the fact that Contributor-level users can satisfy the nonce and edit_post capability checks for their own posts, and the panels_data value is stored as post meta outside the scope of WordPress's unfiltered_html carve-out. This means that there is no wp_kses fallback to prevent the unsanitized WP_Widget_Custom_HTML content from being persisted and later rendered verbatim on the frontend.
Defensive priority
High priority should be given to updating the Page Builder by SiteOrigin plugin to a version that addresses this vulnerability. Administrators should ensure that all users with Contributor-level access and above are aware of the risks and are instructed to avoid injecting malicious scripts.
Recommended defensive actions
- Update the Page Builder by SiteOrigin plugin to the latest version.
- Restrict Contributor-level access to only trusted users.
- Implement additional security measures, such as input validation and output encoding, to prevent similar vulnerabilities.
- Monitor the plugin's administrative interface for suspicious activity.
- Consider implementing a web application firewall (WAF) to detect and prevent XSS attacks.
Evidence notes
The CVE record for CVE-2026-13295 was published on June 27, 2026, and modified on June 29, 2026. The vulnerability was reported by [email protected]. The CVSS score for this vulnerability is 6.4, indicating a Medium severity.
Official resources
This article is AI-assisted and based on the supplied source corpus.