CVE-2026-2448

High

Published: 03 March 2026

Published

03 March 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 35.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.5 via the locate_template() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include…

and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely flaw remediation, directly addressing this LFI vulnerability by updating the Page Builder plugin beyond version 2.33.5.

SI-10 Information Input Validation good match

prevent

SI-10 enforces validation of information inputs like file paths in locate_template(), preventing arbitrary file inclusion and PHP code execution.

AC-6 Least Privilege partial match

prevent

AC-6 least privilege limits Contributor-level access, reducing the attack surface by restricting who can upload files or trigger the vulnerable function.

Security SummaryAI

CVE-2026-2448 is a Local File Inclusion (LFI) vulnerability, classified under CWE-22, affecting the Page Builder by SiteOrigin plugin for WordPress in all versions up to and including 2.33.5. The flaw resides in the locate_template() function, which enables the inclusion and execution of arbitrary files on the server. Published on 2026-03-03, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for confidentially, integrity, and availability impacts.

Authenticated attackers with Contributor-level access or higher can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows inclusion and execution of arbitrary PHP code from included files, enabling attackers to bypass access controls, exfiltrate sensitive data, or achieve remote code execution. This is particularly potent in scenarios where "safe" file types, such as images, can be uploaded and then targeted for inclusion.

Mitigation details are available in advisories referenced by Wordfence threat intelligence and the plugin's source code at line 576 in post-loop.php of version 2.33.5. Security practitioners should ensure the plugin is updated beyond version 2.33.5 and review access controls for Contributor roles on affected WordPress sites.

Details

CWE(s): CWE-22

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The LFI vulnerability in the WordPress plugin enables authenticated remote attackers to include and execute arbitrary server files as PHP code, directly facilitating exploitation of a public-facing web application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://plugins.trac.wordpress.org/browser/siteorigin-panels/tags/2.33.5/inc/widgets/post-loop.php#L576
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/deeeb78d-1757-44ec-968b-968d919b84f1?source=cve
security@wordfence.com