Page Builder 2.10.16 Security Update

Page Builder 2.10.16 is a security update that resolves two recently discovered vulnerabilities. Updating Page Builder resolves both issues with no further action required.

On Monday the 4th of May, Wordfence kindly reached out and let us know they had discovered two security vulnerabilities in Page Builder. SiteOrigin is primarily based in the GMT+2 timezone, the news reached us after working hours. On Tuesday the 5th of May, we resolved both issues. Once testing was complete, we released an update for Page Builder.

“WordPress nonces are one-time use security tokens generated by WordPress to help protect URLs and forms from misuse.” The Page Builder Live Editor and so_panels_builder_content Ajax action were each missing a nonce. An attacker could trick a user with an Administrator role into visiting a malformed URL and executing malicious JavaScript in the browser. To resolve, a nonce was added to the Live Editor preview URL and another to the so_panels_builder_content Ajax action. We’re grateful for Wordfence’s help and for letting us know as soon as they were aware. For a full walkthrough of the issues found, please, see the Wordfence report Vulnerabilities Patched in Page Builder by SiteOrigin.

If you have any questions or concerns, please, feel free to comment below. For any support queries, please, open a thread on our forum. Email support via [email protected] is available for our SiteOrigin Premium users.