Page Builder by SiteOrigin Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Legacy Image Widget – CVE-2024-2202 | WordPress Plugin Vulnerability Report

Plugin Name: Page Builder by SiteOrigin

Key Information:

  • Software Type: Plugin
  • Software Slug: siteorigin-panels
  • Software Status: Active
  • Software Author: gpriday
  • Software Downloads: 49,798,891
  • Active Installs: 700,000
  • Last Updated: March 22, 2024
  • Patched Versions: 2.29.7
  • Affected Versions: <= 2.29.6

Vulnerability Details:

  • Name: Page Builder by SiteOrigin <= 2.29.6
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Legacy Image Widget
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-2202
  • CVSS Score: 6.4
  • Publicly Published: March 22, 2024
  • Researcher: Webbernaut
  • Description: The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) through its legacy Image widget. Due to insufficient input sanitization and output escaping, authenticated attackers with at least contributor-level permissions can inject arbitrary web scripts. These scripts may execute malicious actions whenever a user accesses a page containing the compromised widget.


The Page Builder by SiteOrigin plugin harbors a vulnerability in versions up to and including 2.29.6, specifically within its legacy Image widget. This security flaw allows authenticated users with sufficient permissions to carry out Stored Cross-Site Scripting attacks by injecting harmful scripts into web pages. To address this vulnerability, the plugin developers have released a patch in version 2.29.7.

Detailed Overview:

This vulnerability was discovered by the researcher known as Webbernaut, drawing attention to the security risks associated with legacy components within plugins. The crux of the vulnerability lies in the lack of stringent input sanitization and output escaping mechanisms for the Image widget, a remnant from earlier versions of the plugin. When exploited, this flaw can lead to unauthorized actions being performed on behalf of unsuspecting users, compromising the security and integrity of websites using the affected plugin versions.

Advice for Users:

  • Immediate Action: Users of the Page Builder by SiteOrigin plugin should urgently update to the patched version, 2.29.7, to mitigate the risk associated with this vulnerability.
  • Check for Signs of Vulnerability: Site administrators are advised to review their web pages for unexpected or malicious content, especially in areas where the legacy Image widget might have been used.
  • Alternate Plugins: While the immediate vulnerability has been patched, users may wish to explore alternative page builder plugins that offer similar functionality, particularly those with a strong track record of security and timely updates.
  • Stay Updated: Maintaining the latest versions of all WordPress plugins and themes is crucial for securing your website against known vulnerabilities and potential exploits.


The prompt action taken by the developers of Page Builder by SiteOrigin to address this vulnerability underscores the critical importance of regular software updates in safeguarding digital assets. By ensuring that the plugin is updated to version 2.29.7 or later, users can protect their WordPress installations from the risks posed by this particular security flaw.


Detailed Report: 

In the digital age, where websites serve as the cornerstone of any business, ensuring their security is not just a necessity but a mandate. The recent discovery of a vulnerability within the Page Builder by SiteOrigin plugin, a tool cherished by many for its ability to create complex layouts with ease, casts a spotlight on the ever-present need for vigilance in the digital realm. Dubbed CVE-2024-2202, this flaw not only challenges the integrity of websites but also emphasizes the critical importance of keeping digital assets up to date for the safety and trust of users.

Plugin Overview:

Page Builder by SiteOrigin, known for its user-friendly drag-and-drop interface, is a cornerstone for over 700,000 WordPress websites. Developed by gpriday, this plugin has facilitated the creation of engaging web content without the need for extensive coding knowledge. Its popularity is underscored by an impressive tally of nearly 50 million downloads, marking it as an essential tool in the WordPress ecosystem.

Vulnerability Insights:

CVE-2024-2202 exposes a serious security gap within the plugin's legacy Image widget. This vulnerability allows authenticated users, starting from contributor level, to inject malicious scripts through Stored Cross-Site Scripting (XSS) attacks. Stemming from inadequate input sanitization and output escaping, such attacks could lead to unauthorized actions being executed on the compromised web pages. Identified by researcher Webbernaut and disclosed on March 22, 2024, this flaw highlights the latent risks lurking within digital tools, even those as widely used and trusted as Page Builder by SiteOrigin.

Potential Risks and Impacts:

The implications of this vulnerability extend far beyond mere technical glitches. Successful exploitation can compromise the security and integrity of websites, leading to data breaches, unauthorized access, and potentially severe consequences for website owners and their users. In an era where digital trust is paramount, such vulnerabilities can tarnish reputations and erode user confidence, with potentially long-lasting effects on businesses and brands.

Remediation Steps:

In response to this discovery, a patch has been swiftly released in version 2.29.7 of the plugin. Users are urged to update immediately to mitigate the risks posed by this vulnerability. Additionally, site administrators should conduct thorough reviews of their web pages for any unusual or unauthorized content, particularly in sections where the legacy Image widget was utilized. This proactive approach to digital health is crucial for maintaining the security and integrity of online platforms.

Historical Context:

This is not the first challenge faced by the Page Builder by SiteOrigin plugin; there have been 3 previous vulnerabilities reported since December 1, 2015. This historical context underscores the ongoing battle against digital threats and the importance of regular monitoring and updates to ensure the security of digital tools.

In conclusion, the discovery of CVE-2024-2202 within the Page Builder by SiteOrigin plugin serves as a stark reminder of the dynamic nature of digital threats and the imperative of continuous vigilance. For small business owners juggling myriad responsibilities, understanding and acting on such vulnerabilities might seem daunting. However, the digital security of your business is intrinsically linked to its overall health and success. Staying informed, adopting a proactive approach to digital maintenance, and leveraging resources and expertise available within the community can empower even the busiest entrepreneurs to safeguard their online presence against potential threats.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.


Page Builder by SiteOrigin Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Legacy Image Widget – CVE-2024-2202 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment