CVE-2026-2448 in Page Builder by SiteOrigin Plugin
Summary
by MITRE • 03/03/2026
The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.5 via the locate_template() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/04/2026
The vulnerability identified as CVE-2026-2448 affects the Page Builder by SiteOrigin plugin for WordPress, representing a critical local file inclusion flaw that undermines the security posture of affected systems. This vulnerability exists within the plugin's locate_template() function and impacts all versions up to and including 2.33.5, making it a widespread concern for WordPress administrators who have not yet updated their installations. The flaw specifically targets authenticated users who possess Contributor-level access or higher, which is particularly concerning given that contributors can typically edit their own posts and upload media files, potentially creating a pathway for privilege escalation.
The technical exploitation of this vulnerability occurs through the improper handling of file paths within the locate_template() function, which allows attackers to manipulate the template loading process and include arbitrary local files. This flaw aligns with CWE-22, which describes improper limitation of a pathname to a restricted directory, commonly known as path traversal attacks. When an authenticated user with contributor privileges uploads a malicious file or manipulates existing file paths, they can leverage this vulnerability to include PHP files from the server filesystem. The implications extend beyond simple code execution, as attackers can potentially access sensitive configuration files, database credentials, or other critical system information that may be stored locally on the server.
The operational impact of this vulnerability is severe and multifaceted, as it provides attackers with the capability to bypass standard access controls and achieve full code execution on the affected WordPress installation. This can lead to complete system compromise, data exfiltration, and potential lateral movement within network environments where the vulnerable WordPress instance resides. The vulnerability is particularly dangerous because it can be exploited through the upload of seemingly harmless file types such as images, which are typically permitted in WordPress environments. This creates a scenario where attackers can upload a malicious file disguised as an image, then leverage the LFI vulnerability to execute PHP code contained within that file, effectively turning a media upload feature into a weaponized attack vector.
Organizations should implement immediate mitigation strategies to address this vulnerability, including updating to the latest version of the Page Builder by SiteOrigin plugin where the issue has been resolved. Additionally, administrators should enforce strict file upload validation and implement proper access controls to limit the privileges of users who can upload files to the system. The principle of least privilege should be strictly enforced, ensuring that users with contributor-level access cannot manipulate the template system or upload files that could be used for exploitation. Network segmentation and monitoring solutions should be deployed to detect anomalous file inclusion patterns that may indicate exploitation attempts. This vulnerability also highlights the importance of regular security audits and vulnerability assessments, particularly for plugins that handle file operations and template rendering. The ATT&CK framework categorizes this type of vulnerability under T1059.001 - Command and Scripting Interpreter: PHP, as attackers can execute PHP code directly through the vulnerable system, and T1566.002 - Phishing: Spearphishing Attachment, since attackers may use malicious file uploads as part of their exploitation strategy. Organizations should also consider implementing web application firewalls to detect and block malicious file inclusion attempts, and establish incident response procedures specifically designed to handle such privilege escalation vulnerabilities.