Does Page Builder by SiteOrigin have any unpatched vulnerabilities?

No. All known vulnerabilities in Page Builder by SiteOrigin have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Page Builder by SiteOrigin compatible with WordPress 6.9.4?

According to WordPress.org data, Page Builder by SiteOrigin 2.34.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Page Builder by SiteOrigin compatible with PHP 7.0.0+?

Page Builder by SiteOrigin requires PHP 7.0.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Page Builder by SiteOrigin updated?

Page Builder by SiteOrigin was last updated on Feb 21, 2026. Frequent updates are generally a positive security signal.

What is Page Builder by SiteOrigin's security score?

Page Builder by SiteOrigin has a WP-Safety security score of 88/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Page Builder by SiteOrigin Security & Risk Analysis

wordpress.org/plugins/siteorigin-panels

Build responsive page layouts using the widgets you know and love using this simple drag and drop page builder.

500K active installs v2.34.0 PHP 7.0.0+ WP 4.7+ Updated Feb 21, 2026

drag-and-droppage-builderresponsive-designvisual-editorwebsite-builder

A · Safe

CVEs total8

Unpatched0

Last CVEMar 2, 2026

Plugin page Download

Safety Verdict

Is Page Builder by SiteOrigin Safe to Use in 2026?

Generally Safe

Score 88/100

Page Builder by SiteOrigin has a strong security track record. Known vulnerabilities have been patched promptly.

8 known CVEsLast CVE: Mar 2, 2026Updated 1mo ago

Risk Assessment

The SiteOrigin Panels plugin version 2.34.0 exhibits a generally strong security posture, with all identified entry points (AJAX handlers, REST API routes, shortcodes) having authentication or permission checks. The code analysis reveals good practices such as a high percentage of SQL queries using prepared statements and a large majority of outputs being properly escaped. The presence of 22 nonce checks and 24 capability checks further reinforces this. However, there are areas of concern. The taint analysis indicates 3 flows with unsanitized paths, which, despite being categorized as low severity, represent a potential risk for path traversal vulnerabilities. The vulnerability history is significant, with 8 total CVEs, including 3 high and 5 medium severity vulnerabilities, although none are currently unpatched. The common vulnerability types like Path Traversal and Cross-site Scripting suggest recurring weaknesses in input validation and output sanitization, even with the static analysis showing good overall sanitization. The plugin's history of diverse and potentially severe vulnerabilities warrants careful attention and ongoing monitoring. While the current version appears to have addressed past critical issues and has a robust attack surface protection, the historical pattern of vulnerabilities, particularly those related to path traversal and XSS, suggests a need for continued vigilance and thorough code reviews.

Key Concerns

Flows with unsanitized paths
History of high severity vulnerabilities
History of medium severity vulnerabilities

Vulnerabilities

Page Builder by SiteOrigin Security Vulnerabilities

CVEs by Year

1 CVE in 2015

2015

2 CVEs in 2020

2020

2 CVEs in 2024

2024

2 CVEs in 2025

2025

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

High

Medium

8 total CVEs

CVE-2026-2448high · 8.8Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Page Builder by SiteOrigin <= 2.33.5 - Authenticated (Contributor+) Local File Inclusion

Mar 2, 2026 Patched in 2.34.0 (1d)

CVE-2025-1459medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Page Builder by SiteOrigin <= 2.31.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Feb 28, 2025 Patched in 2.31.5 (1d)

CVE-2024-12240medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Page Builder by SiteOrigin <= 2.31.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Row Label Parameter

Jan 13, 2025 Patched in 2.31.1 (1d)

CVE-2024-4361medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Page Builder by SiteOrigin <= 2.29.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'siteorigin_widget' Shortcode

May 20, 2024 Patched in 2.29.16 (1d)

CVE-2024-2202medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Page Builder by SiteOrigin <= 2.29.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Legacy Image Widget

Mar 22, 2024 Patched in 2.29.7 (1d)

CVE-2020-13643high · 8.8Cross-Site Request Forgery (CSRF)

Page Builder by SiteOrigin <= 2.10.15 - Cross-Site Request Forgery to Reflected Cross-Site Scripting

May 11, 2020 Patched in 2.10.16 (1352d)

CVE-2020-13642high · 8.8Cross-Site Request Forgery (CSRF)

Page Builder by SiteOrigin <= 2.10.15 - Cross-Site Request Forgery to Reflected Cross-Site Scripting

May 5, 2020 Patched in 2.10.16 (1358d)

WF-d10364ed-179d-4506-a6f0-42b03c005242-siteorigin-panelsmedium · 5.3Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Page Builder by SiteOrigin < 2.0.5 - Reflected Cross-Site Scripting

Dec 1, 2015 Patched in 2.0.5 (2975d)

Code Analysis

Analyzed Mar 16, 2026

Page Builder by SiteOrigin Code Analysis

Dangerous Functions

Raw SQL Queries

3 prepared

Unescaped Output

649 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select2

SQL Query Safety

75% prepared4 total queries

Output Escaping

90% escaped724 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

15 flows3 with unsanitized paths

action_widget_form (inc\admin.php:1416)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Page Builder by SiteOrigin Attack Surface

Entry Points17

Unprotected0

AJAX Handlers 15

authwp_ajax_so_panels_layouts_queryinc\admin-layouts.php:23

authwp_ajax_so_panels_get_layoutinc\admin-layouts.php:24

authwp_ajax_so_panels_import_layoutinc\admin-layouts.php:25

authwp_ajax_so_panels_export_layoutinc\admin-layouts.php:26

authwp_ajax_so_panels_directory_enableinc\admin-layouts.php:27

authwp_ajax_so_panels_builder_contentinc\admin.php:52

authwp_ajax_so_panels_builder_content_jsoninc\admin.php:53

authwp_ajax_so_panels_widget_forminc\admin.php:54

authwp_ajax_so_panels_live_editor_previewinc\admin.php:55

authwp_ajax_so_panels_layout_block_previewinc\admin.php:56

authwp_ajax_so_panels_dismiss_post_noticeinc\admin.php:90

authwp_ajax_so_installer_dismissinc\installer\inc\admin.php:7

authwp_ajax_siteorigin_installer_manageinc\installer\inc\admin.php:8

authwp_ajax_so_installer_statusinc\installer\siteorigin-installer.php:30

authwp_ajax_so_panels_style_forminc\styles-admin.php:5

Shortcodes 2

[siteorigin_widget] inc\widget-shortcode.php:12

[self_video] widgets\widgets.php:1219

WordPress Hooks 184

actionadmin_print_scripts-post-new.phpcompat\acf-widgets.php:5

actionadmin_print_scripts-post.phpcompat\acf-widgets.php:6

actionsiteorigin_panels_before_widget_formcompat\acf-widgets.php:9

filteracf/pre_load_valuecompat\acf-widgets.php:10

filterwidget_update_callbackcompat\acf-widgets.php:13

filtersidebars_widgetscompat\aioseo.php:12

filtersiteorigin_panels_core_js_widgetscompat\amp.php:14

actionloop_startcompat\events-manager.php:21

actionloop_endcompat\events-manager.php:22

actionem_event_duplicate_precompat\events-manager.php:24

filterem_event_get_event_metacompat\events-manager.php:25

filterem_event_duplicatecompat\events-manager.php:26

filtersiteorigin_panels_filter_content_enabledcompat\events-manager.php:48

filtergform_disable_print_form_scriptscompat\gravity-forms.php:16

filtersiteorigin_panels_widget_instancecompat\gravity-forms.php:21

actionjetpack_copy_postcompat\jetpack.php:42

actioninitcompat\layout-block.php:19

actionadmin_enqueue_scriptscompat\layout-block.php:22

filtersiteorigin_panels_full_width_containercompat\layout-block.php:25

actionwp_headcompat\layout-block.php:27

filtersiteorigin_panels_layout_classescompat\layout-block.php:147

filtersiteorigin_panels_row_style_attributescompat\lazy-load-backgrounds.php:34

filtersiteorigin_panels_cell_style_attributescompat\lazy-load-backgrounds.php:35

filtersiteorigin_panels_widget_style_attributescompat\lazy-load-backgrounds.php:36

filtersiteorigin_panels_row_style_csscompat\lazy-load-backgrounds.php:54

filtersiteorigin_panels_cell_style_csscompat\lazy-load-backgrounds.php:55

filtersiteorigin_panels_widget_style_csscompat\lazy-load-backgrounds.php:56

actionupdate_option_lsow_settingscompat\livemesh.php:17

actionget_headercompat\pagelayer.php:14

actionget_footercompat\pagelayer.php:15

filterloop_startcompat\pagelayer.php:16

filtersiteorigin_panels_filter_content_enabledcompat\pagelayer.php:39

filterpll_copy_post_metascompat\polylang.php:17

filterpum_popup_contentcompat\popup-maker.php:33

filterrank_math/sitemap/content_before_parse_html_imagescompat\rank-math.php:12

actionsiteorigin_panel_enqueue_admin_stylescompat\seo.php:37

actionseopress_dom_analysis_get_post_contentcompat\seopress.php:46

filtersiteorigin_panels_row_style_attributescompat\vantage.php:13

filtersiteorigin_panels_datacompat\vantage.php:43

filtersiteorigin_panels_datacompat\widget-options.php:19

filteryikes_woo_use_the_content_filtercompat\yikes.php:4

filtersiteorigin_panels_filter_content_enabledcompat\yoast.php:17

filtersiteorigin_panels_filter_content_enabledcompat\yoast.php:19

filterthe_contentcompat\yoast.php:26

filterwpseo_sitemap_urlimagescompat\yoast.php:68

filterwpseo_video_index_contentcompat\yoast.php:88

actionwp_dashboard_setupinc\admin-dashboard.php:5

actionadmin_print_stylesinc\admin-dashboard.php:6

filtersiteorigin_panels_external_layout_directoriesinc\admin-layouts.php:19

filtersiteorigin_panels_prebuilt_layoutsinc\admin-layouts.php:21

filtersiteorigin_panels_widgetsinc\admin-widget-dialog.php:6

filtersiteorigin_panels_widget_dialog_tabsinc\admin-widget-dialog.php:7

actionadmin_menuinc\admin-widgets-bundle.php:7

actionplugin_action_links_siteorigin-panels/siteorigin-panels.phpinc\admin.php:15

actionplugins_loadedinc\admin.php:20

actionadd_meta_boxesinc\admin.php:22

actionadmin_initinc\admin.php:23

actionsave_postinc\admin.php:24

actionafter_switch_themeinc\admin.php:26

actionadmin_print_scripts-post-new.phpinc\admin.php:29

actionadmin_print_scripts-post.phpinc\admin.php:30

actionadmin_print_scripts-appearance_page_so_panels_home_pageinc\admin.php:31

actionadmin_print_scripts-widgets.phpinc\admin.php:35

actionadmin_print_scripts-edit.phpinc\admin.php:36

actionadmin_print_styles-post-new.phpinc\admin.php:39

actionadmin_print_styles-post.phpinc\admin.php:40

actionadmin_print_styles-appearance_page_so_panels_home_pageinc\admin.php:41

actionadmin_print_styles-widgets.phpinc\admin.php:42

actionload-page.phpinc\admin.php:45

actionload-post-new.phpinc\admin.php:46

actionload-appearance_page_so_panels_home_pageinc\admin.php:47

actioncustomize_controls_print_scriptsinc\admin.php:49

actionadmin_noticesinc\admin.php:75

filtergutenberg_can_edit_post_typeinc\admin.php:76

filteruse_block_editor_for_post_typeinc\admin.php:77

actionadmin_print_scripts-edit.phpinc\admin.php:78

filterdisplay_post_statesinc\admin.php:81

filterheartbeat_receivedinc\admin.php:86

filterso_panels_show_classic_admin_noticeinc\admin.php:89

filterredirect_post_locationinc\admin.php:291

actionadmin_footerinc\admin.php:366

filtersiteorigin_widgets_is_previewinc\admin.php:1478

actionadmin_initinc\compatibility.php:10

actioninitinc\compatibility.php:11

actionwidgets_initinc\compatibility.php:12

filterdisplay_event_descriptioninc\compatibility.php:107

actionadmin_menuinc\home.php:5

actionadmin_noticesinc\installer\inc\admin.php:6

actionadmin_menuinc\installer\inc\admin.php:9

actionadmin_enqueue_scriptsinc\installer\inc\admin.php:10

actionactivated_plugininc\installer\inc\admin.php:11

actiondeactivated_plugininc\installer\inc\admin.php:12

filtersiteorigin_premium_affiliate_idinc\installer\siteorigin-installer.php:27

filterinitinc\installer\siteorigin-installer.php:28

filtersiteorigin_add_installerinc\installer\siteorigin-installer.php:29

actiontemplate_redirectinc\live-editor.php:10

actionget_post_metadatainc\live-editor.php:11

actionwp_enqueue_scriptsinc\live-editor.php:12

filtershow_admin_barinc\live-editor.php:15

filtersiteorigin_panels_row_attributesinc\post-content-filters.php:13

filtersiteorigin_panels_cell_attributesinc\post-content-filters.php:14

filtersiteorigin_panels_widget_attributesinc\post-content-filters.php:15

actionwp_enqueue_scriptsinc\renderer.php:9

actionwp_headinc\renderer.php:85

actionwp_footerinc\renderer.php:86

actionwp_headinc\renderer.php:93

actionwp_footerinc\renderer.php:98

actionsave_postinc\revisions.php:10

actionwp_restore_post_revisioninc\revisions.php:11

filter_wp_post_revision_fieldsinc\revisions.php:13

filter_wp_post_revision_field_panels_data_fieldinc\revisions.php:14

actionadmin_enqueue_scriptsinc\settings.php:19

actionadmin_menuinc\settings.php:20

actionafter_setup_themeinc\settings.php:21

filtersiteorigin_panels_settings_defaultsinc\settings.php:24

filtersiteorigin_panels_default_add_widget_classinc\settings.php:25

filtersiteorigin_panels_settings_fieldsinc\settings.php:26

actionwidgets_initinc\sidebars-emulator.php:8

filtersidebars_widgetsinc\sidebars-emulator.php:9

filtersiteorigin_panels_datainc\styles-admin.php:7

filtersiteorigin_panels_prebuilt_layoutinc\styles-admin.php:8

filtersiteorigin_panels_general_current_stylesinc\styles-admin.php:10

filtersiteorigin_panels_data_migrationinc\styles-admin.php:12

actionwp_enqueue_scriptsinc\styles.php:9

filtersiteorigin_panels_row_style_fieldsinc\styles.php:12

filtersiteorigin_panels_cell_style_fieldsinc\styles.php:13

filtersiteorigin_panels_widget_style_fieldsinc\styles.php:14

filtersiteorigin_panels_row_style_attributesinc\styles.php:17

filtersiteorigin_panels_row_style_attributesinc\styles.php:18

filtersiteorigin_panels_cell_style_attributesinc\styles.php:19

filtersiteorigin_panels_widget_style_attributesinc\styles.php:20

filtersiteorigin_panels_inside_row_beforeinc\styles.php:23

filtersiteorigin_panels_inside_cell_beforeinc\styles.php:24

filtersiteorigin_panels_inside_widget_beforeinc\styles.php:25

filtersiteorigin_panels_row_style_cssinc\styles.php:28

filtersiteorigin_panels_cell_style_cssinc\styles.php:29

filtersiteorigin_panels_widget_style_cssinc\styles.php:30

filtersiteorigin_panels_row_style_tablet_cssinc\styles.php:32

filtersiteorigin_panels_cell_style_tablet_cssinc\styles.php:33

filtersiteorigin_panels_widget_style_tablet_cssinc\styles.php:34

filtersiteorigin_panels_row_style_mobile_cssinc\styles.php:36

filtersiteorigin_panels_cell_style_mobile_cssinc\styles.php:37

filtersiteorigin_panels_widget_style_mobile_cssinc\styles.php:38

filtersiteorigin_panels_css_objectinc\styles.php:41

filtersiteorigin_panels_css_row_margin_bottominc\styles.php:44

filtersiteorigin_panels_css_row_mobile_margin_bottominc\styles.php:45

filtersiteorigin_panels_css_cell_mobile_margin_bottominc\styles.php:46

filterfilter_widget_tablet_margininc\styles.php:47

filtersiteorigin_panels_css_widget_mobile_margininc\styles.php:48

filtersiteorigin_panels_css_row_gutterinc\styles.php:50

filtersiteorigin_panels_css_widget_cssinc\styles.php:51

filtersiteorigin_panels_inside_row_beforeinc\styles.php:55

filtersiteorigin_panels_inside_cell_beforeinc\styles.php:56

filtersiteorigin_panels_inside_widget_beforeinc\styles.php:57

actionsiteorigin_panels_inside_row_beforeinc\styles.php:61

actionsiteorigin_panels_inside_cell_beforeinc\styles.php:62

actionsiteorigin_panels_inside_widget_beforeinc\styles.php:63

filterphoton_validate_image_urlinc\styles.php:734

filterjetpack_photon_skip_imageinc\styles.php:736

filtersiteorigin_panels_the_widget_htmlinc\widget-shortcode.php:16

actionplugins_loadedsiteorigin-panels.php:32

actionplugins_loadedsiteorigin-panels.php:33

actionadmin_bar_menusiteorigin-panels.php:34

actionwp_enqueue_scriptssiteorigin-panels.php:35

actionadmin_enqueue_scriptssiteorigin-panels.php:36

actionwidgets_initsiteorigin-panels.php:38

filterbody_classsiteorigin-panels.php:40

filtersiteorigin_panels_datasiteorigin-panels.php:41

filtersiteorigin_panels_widget_classsiteorigin-panels.php:42

actionactivated_pluginsiteorigin-panels.php:44

actiondeactivated_pluginsiteorigin-panels.php:45

actionadmin_initsiteorigin-panels.php:47

filterthe_contentsiteorigin-panels.php:77

filterwoocommerce_format_contentsiteorigin-panels.php:78

filterwp_enqueue_scriptssiteorigin-panels.php:79

filterget_the_excerptsiteorigin-panels.php:82

actionwp_footersiteorigin-panels.php:546

actionwp_enqueue_scriptssiteorigin-panels.php:610

filtersiteorigin_panels_datawidgets\migration.php:65

actionwidgets_initwidgets\widgets.php:25

actionadmin_enqueue_scriptswidgets\widgets.php:32

actionwp_headwidgets\widgets.php:81

actionwp_footerwidgets\widgets.php:82

actionwidgets_initwidgets\widgets.php:1230

Maintenance & Trust

Page Builder by SiteOrigin Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 21, 2026

PHP min version7.0.0

Downloads57.4M

Community Trust

Rating96/100

Number of ratings1,004

Active installs500K

Alternatives

Page Builder by SiteOrigin Alternatives

Zion Builder – Website Builder for Speed & Creativity

zionbuilder

Building websites just got easier! Zion Builder is a visual website builder with powerful design features to help you build interactive websites.

1K 2 CVEs

Brizy – Page Builder

brizy

A page builder that is fast & easy, Brizy is a next-gen website builder that anyone can use. No designer or developer skills required.

70K 29 CVEs

Visual Composer Website Builder

visualcomposer

Drag and drop page builder that gives the freedom to design WordPress websites, landing pages, custom themes, maintenance mode & coming soon pages.

40K 9 CVEs

Nimble Page Builder

nimble-builder

Simple and smart companion that allows you to insert sections into any existing page, create landing pages or entire websites including header and foo …

30K 1 CVE

Live Composer – Free WordPress Website Builder

live-composer-page-builder

Page builder for WordPress with drag and drop header/footer editing, responsive settings, and animations. Compatible with Gutenberg block editor.

10K 1 unpatched

Developer Profile

Page Builder by SiteOrigin Developer Profile

Greg - SiteOrigin

10 plugins · 1.0M total installs

trust score

Avg Security Score

88/100

Avg Patch Time

320 days

View full developer profile

Detection Fingerprints

How We Detect Page Builder by SiteOrigin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/siteorigin-panels/css/admin.css/wp-content/plugins/siteorigin-panels/css/frontend.css/wp-content/plugins/siteorigin-panels/css/style.css/wp-content/plugins/siteorigin-panels/js/admin.js/wp-content/plugins/siteorigin-panels/js/editor.js/wp-content/plugins/siteorigin-panels/js/frontend.js/wp-content/plugins/siteorigin-panels/js/main.js/wp-content/plugins/siteorigin-panels/widgets/css/widgets.css+1 more

Script Paths

/wp-content/plugins/siteorigin-panels/js/main.js

Version Parameters

siteorigin-panels/css/style.css?ver=siteorigin-panels/js/main.js?ver=siteorigin-panels/css/admin.css?ver=siteorigin-panels/js/admin.js?ver=siteorigin-panels/css/frontend.css?ver=siteorigin-panels/js/frontend.js?ver=siteorigin-panels/js/editor.js?ver=siteorigin-panels/widgets/css/widgets.css?ver=siteorigin-panels/widgets/js/widgets.js?ver=

HTML / DOM Fingerprints

CSS Classes

siteorigin-panels-editorsiteorigin-panels-widgetsiteorigin-panels-rowsiteorigin-panels-columnsiteorigin-panels-setting

HTML Comments

SiteOrigin PanelsGenerated by SiteOrigin Page BuilderSiteOrigin Page Builder

Data Attributes

data-siteorigin-panels-iddata-panels-iddata-widget-iddata-row-iddata-column-iddata-container+2 more

JS Globals

siteoriginPanelsSiteOriginPanelssoPanelssoWidgets

REST Endpoints

/wp-json/siteorigin-panels/v1/layouts/wp-json/siteorigin-panels/v1/get-layout/wp-json/siteorigin-panels/v1/save-layout

Shortcode Output

[siteorigin_panels][siteorigin_panels_widget][siteorigin_panels_row][siteorigin_panels_column]

FAQ