Critical Vulnerabilities in SiteOrigin and Calendar Plugins Impact 600k Sites
Key Takeaways
- Security researchers have identified high-severity vulnerabilities in two popular WordPress plugins, Page Builder by SiteOrigin and a widely used calendar plugin, affecting a combined 600,000 websites.
- The SiteOrigin flaw, rated 8.8 out of 10, presents a significant risk of unauthorized access or site takeover if left unpatched.
Mentioned
Key Intelligence
Key Facts
- 1SiteOrigin Page Builder vulnerability affects approximately 500,000 active websites.
- 2The SiteOrigin flaw received a high-severity CVSS score of 8.8 out of 10.
- 3A separate WordPress calendar plugin vulnerability impacts an additional 100,000 sites.
- 4Total exposure across both plugin disclosures exceeds 600,000 web properties.
- 5Security researchers recommend immediate updates to the latest versions to mitigate exploitation risk.
Who's Affected
Analysis
The WordPress ecosystem is facing a significant security challenge as two major plugins have been identified with critical vulnerabilities that expose over 600,000 websites to potential exploitation. The most severe of these flaws resides in Page Builder by SiteOrigin, a popular drag-and-drop interface used by approximately 500,000 active installations. With a CVSS severity rating of 8.8 out of 10, this vulnerability is classified as high-to-critical, signaling that it can likely be exploited with low complexity and without requiring high-level administrative privileges. This development highlights the persistent risk inherent in the WordPress plugin supply chain, where a single point of failure can jeopardize hundreds of thousands of downstream users.
Industry context suggests that vulnerabilities of this magnitude often involve broken access control or cross-site scripting (XSS) flaws that allow attackers to inject malicious code or escalate privileges. For Page Builder by SiteOrigin, the 8.8 rating is particularly concerning because it suggests the potential for remote execution or significant data manipulation. In the broader landscape of CMS security, WordPress remains the primary target for automated botnets and threat actors due to its 43% market share. When a plugin with half a million installs is compromised, it creates a massive, uniform attack surface that can be scanned and exploited within hours of the vulnerability becoming public knowledge.
The most severe of these flaws resides in Page Builder by SiteOrigin, a popular drag-and-drop interface used by approximately 500,000 active installations.
Simultaneously, a separate vulnerability has been disclosed in a prominent WordPress calendar plugin, affecting an additional 100,000 sites. While the technical specifics of this second flaw are distinct, the cumulative impact of these disclosures within a 24-hour window places immense pressure on web administrators and hosting providers. The primary risk in these scenarios is not just the initial breach, but the 'long tail' of unpatched sites. Historical data shows that even after a patch is released, a significant percentage of site owners fail to update their software promptly, leaving a permanent pool of vulnerable targets for opportunistic attackers.
What to Watch
For enterprise users and digital agencies managing multiple WordPress properties, these disclosures necessitate an immediate audit of installed plugins. The shift toward automated patching in WordPress core has mitigated some risks, but third-party plugins often require manual intervention or specific configuration to ensure they are running the latest, most secure versions. Security experts warn that as the WordPress ecosystem continues to mature, the complexity of these plugins increases, often leading to overlooked edge cases in code that can be weaponized by sophisticated actors.
Looking forward, this incident is likely to renew calls for more rigorous security auditing standards for the WordPress Plugin Directory. While the community-driven nature of the platform is its greatest strength, it also remains its most significant security bottleneck. Site owners should expect an uptick in malicious scanning activity targeting these specific plugin directories over the coming weeks. The immediate recommendation for all affected users is to update to the latest versions of Page Builder by SiteOrigin and any installed calendar plugins to close these security gaps before they are actively exploited in the wild.
Sources
Sources
Based on 2 source articles- Search Engine JournalPage Builder by SiteOrigin WordPress Vulnerability Affects Up To 500k Sites via @sejournal, @martinibusterMar 3, 2026
- Search Engine JournalWordPress Calendar Plugin Vulnerability Affects Up To 100k Sites via @sejournal, @martinibusterMar 3, 2026
Cite This Page
"Critical Vulnerabilities in SiteOrigin and Calendar Plugins Impact 600k Sites." Cyber Intelligence Brief, March 3, 2026. https://getcyberbrief.com/story/wordpress-siteorigin-calendar-plugin-vulnerabilities-2026
How we covered this story
Every story in our cybersecurity coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.
Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the cybersecurity space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.
| Signal on this page | What it tells you |
|---|---|
| Verified by N sources | Independent corroboration count. N≥2 is our confidence floor; N=1 is marked explicitly. |
| Impact score (1-10) | Regulatory + financial + operational weight. 8+ signals an experienced-operator action item. |
| Sentiment | Five-tier classification trained on labeled cybersecurity-specific corpora. |
| Timeline | Where applicable, the related-events sequence that contextualizes today's development. |