According to Roger Montti’s article on Search Engine Journal, “Page Builder by SiteOrigin WordPress Vulnerability Affects Up To 500k Sites,” a high-severity security flaw has been identified in the Page Builder by SiteOrigin WordPress plugin, potentially impacting over 500,000 websites.
Vulnerability Overview
Montti reports the issue is rated 8.8 (High) and is the third vulnerability found in the plugin in 2026. It requires authentication but can be exploited by users with Contributor-level access or higher, one of WordPress’s lowest permission roles.
Root Cause: Local File Inclusion (LFI)
The vulnerability arises from a Local File Inclusion (LFI) flaw in the plugin’s locate_template() function. Intended to load approved template files, it lacks sufficient validation, allowing inclusion of arbitrary server files.
This missing restriction lets attackers force the plugin to load unintended files.
Potential Impact
Montti explains that if an attacker can upload a file to the server, they may be able to:
- Execute arbitrary PHP code
- Bypass access controls
- Access sensitive data
This could lead to a serious compromise, especially when combined with other vulnerabilities that permit file uploads.nd Fix
The vulnerability affects all versions up to 2.33.5 and was patched in version 2.34.0.
Recommended Action
Site owners using Page Builder by SiteOrigin should update to version 2.34.0 or later immediately. If updating is not possible, disable the plugin until a patch is applied.
Montti’s report highlights that vulnerabilities requiring authentication can still pose significant risks when low-privilege user roles can trigger them.