Vulnerabilities Bearish 7

Critical Vulnerabilities in SiteOrigin and Calendar Plugins Impact 600k Sites

· 3 min read · Verified by 2 sources ·
Share

Key Takeaways

  • Security researchers have identified high-severity vulnerabilities in two popular WordPress plugins, Page Builder by SiteOrigin and a widely used calendar plugin, affecting a combined 600,000 websites.
  • The SiteOrigin flaw, rated 8.8 out of 10, presents a significant risk of unauthorized access or site takeover if left unpatched.

Mentioned

SiteOrigin company Page Builder by SiteOrigin product WordPress technology WordPress Calendar Plugin product Search Engine Journal company

Key Intelligence

Key Facts

  1. 1SiteOrigin Page Builder vulnerability affects approximately 500,000 active websites.
  2. 2The SiteOrigin flaw received a high-severity CVSS score of 8.8 out of 10.
  3. 3A separate WordPress calendar plugin vulnerability impacts an additional 100,000 sites.
  4. 4Total exposure across both plugin disclosures exceeds 600,000 web properties.
  5. 5Security researchers recommend immediate updates to the latest versions to mitigate exploitation risk.

Who's Affected

SiteOrigin
companyNegative
WordPress Site Owners
organizationNegative
Hosting Providers
companyNeutral
WordPress Ecosystem Security Outlook

Analysis

The WordPress ecosystem is facing a significant security challenge as two major plugins have been identified with critical vulnerabilities that expose over 600,000 websites to potential exploitation. The most severe of these flaws resides in Page Builder by SiteOrigin, a popular drag-and-drop interface used by approximately 500,000 active installations. With a CVSS severity rating of 8.8 out of 10, this vulnerability is classified as high-to-critical, signaling that it can likely be exploited with low complexity and without requiring high-level administrative privileges. This development highlights the persistent risk inherent in the WordPress plugin supply chain, where a single point of failure can jeopardize hundreds of thousands of downstream users.

Industry context suggests that vulnerabilities of this magnitude often involve broken access control or cross-site scripting (XSS) flaws that allow attackers to inject malicious code or escalate privileges. For Page Builder by SiteOrigin, the 8.8 rating is particularly concerning because it suggests the potential for remote execution or significant data manipulation. In the broader landscape of CMS security, WordPress remains the primary target for automated botnets and threat actors due to its 43% market share. When a plugin with half a million installs is compromised, it creates a massive, uniform attack surface that can be scanned and exploited within hours of the vulnerability becoming public knowledge.

The most severe of these flaws resides in Page Builder by SiteOrigin, a popular drag-and-drop interface used by approximately 500,000 active installations.

Simultaneously, a separate vulnerability has been disclosed in a prominent WordPress calendar plugin, affecting an additional 100,000 sites. While the technical specifics of this second flaw are distinct, the cumulative impact of these disclosures within a 24-hour window places immense pressure on web administrators and hosting providers. The primary risk in these scenarios is not just the initial breach, but the 'long tail' of unpatched sites. Historical data shows that even after a patch is released, a significant percentage of site owners fail to update their software promptly, leaving a permanent pool of vulnerable targets for opportunistic attackers.

What to Watch

For enterprise users and digital agencies managing multiple WordPress properties, these disclosures necessitate an immediate audit of installed plugins. The shift toward automated patching in WordPress core has mitigated some risks, but third-party plugins often require manual intervention or specific configuration to ensure they are running the latest, most secure versions. Security experts warn that as the WordPress ecosystem continues to mature, the complexity of these plugins increases, often leading to overlooked edge cases in code that can be weaponized by sophisticated actors.

Looking forward, this incident is likely to renew calls for more rigorous security auditing standards for the WordPress Plugin Directory. While the community-driven nature of the platform is its greatest strength, it also remains its most significant security bottleneck. Site owners should expect an uptick in malicious scanning activity targeting these specific plugin directories over the coming weeks. The immediate recommendation for all affected users is to update to the latest versions of Page Builder by SiteOrigin and any installed calendar plugins to close these security gaps before they are actively exploited in the wild.

Sources

Sources

Based on 2 source articles

Cite This Page

"Critical Vulnerabilities in SiteOrigin and Calendar Plugins Impact 600k Sites." Cyber Intelligence Brief, March 3, 2026. https://getcyberbrief.com/story/wordpress-siteorigin-calendar-plugin-vulnerabilities-2026

How we covered this story

Every story in our cybersecurity coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.

Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the cybersecurity space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.