PLUGIN SECURITY
Is Siteorigin Panels safe?
Known vulnerabilities, PHP compatibility and safer alternatives for the Siteorigin Panels WordPress plugin — checked against WP Clinic's local security database.
Plugin details
- Slug:
siteorigin-panels - Requires PHP: 7.0.0+
- Max supported PHP (analyzed): 8.4
Known vulnerabilities
- Page Builder by SiteOrigin [siteorigin-panels] < 2.10.16 [CVE-2020-13642, WordPress Page Builder by SiteOrigin plugin <= 2.10.15 - Cross-Site Request Forgery (CSRF) vulnerability leading to Reflected Cross-Site Scripting (XSS), Page Builder by SiteOrigin <= 2.10.15 - Cross-Site Request Forgery to Reflected Cross-Site Scripting, WordPress Page Builder by SiteOrigin Plugin <= 2.10.15 is vulnerable to Cross Site Request Forgery (CSRF), Page Builder by SiteOrigin < 2.10.16 - CSRF to Reflected Cross-Site Scripting (XSS)]
- Page Builder by SiteOrigin [siteorigin-panels] < 2.10.16 [CVE-2020-13643, WordPress Page Builder by SiteOrigin plugin <= 2.10.15 - Cross-Site Request Forgery (CSRF) vulnerability leading to Reflected Cross-Site Scripting (XSS), Page Builder by SiteOrigin <= 2.10.15 - Cross-Site Request Forgery to Reflected Cross-Site Scripting, WordPress Page Builder by SiteOrigin Plugin <= 2.10.15 is vulnerable to Cross Site Request Forgery (CSRF)]
- Page Builder by SiteOrigin [siteorigin-panels] < 2.0.5 [WordPress Page Builder Plugin <= 2.0.3 - Reflected XSS]
- Page Builder by SiteOrigin [siteorigin-panels] < 2.0.5 [Page Builder by SiteOrigin < 2.0.5 - Reflected Cross-Site Scripting]
- Page Builder by SiteOrigin [siteorigin-panels] < 2.0.5 [WordPress Page Builder by SiteOrigin Plugin <= 2.0.3 is vulnerable to Cross Site Scripting (XSS)]
+ 7 more known vulnerabilities
- Page Builder by SiteOrigin [siteorigin-panels] < 2.0.5 [Page Builder by SiteOrigin 2.0.3 - Reflected XSS]
- Page Builder by SiteOrigin [siteorigin-panels] < 2.29.7 [CVE-2024-2202, Page Builder by SiteOrigin <= 2.29.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Legacy Image Widget, WordPress Page Builder by SiteOrigin Plugin <= 2.29.6 is vulnerable to Cross Site Scripting (XSS), Page Builder by SiteOrigin < 2.29.7 - Contributor+ Stored XSS]
- Page Builder by SiteOrigin [siteorigin-panels] < 2.29.16 [CVE-2024-4361, WordPress Page Builder by SiteOrigin Plugin <= 2.29.15 is vulnerable to Cross Site Scripting (XSS), Page Builder by SiteOrigin <= 2.29.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'siteorigin_widget' Shortcode]
- Page Builder by SiteOrigin [siteorigin-panels] < 2.31.1 [CVE-2024-12240, WordPress Page Builder by SiteOrigin Plugin <= 2.31.0 is vulnerable to Cross Site Scripting (XSS), Page Builder by SiteOrigin <= 2.31.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Row Label Parameter, EUVD-2024-50707]
- Page Builder by SiteOrigin [siteorigin-panels] < 2.31.5 [CVE-2025-1459, Page Builder by SiteOrigin <= 2.31.4 - Authenticated (Contributor+) Stored Cross-Site Scripting, EUVD-2025-5900]
- Page Builder by SiteOrigin [siteorigin-panels] < 2.34.0 [CVE-2026-2448, Page Builder by SiteOrigin <= 2.33.5 - Authenticated (Contributor+) Local File Inclusion]
- Page Builder by SiteOrigin [siteorigin-panels] < 2.34.4 [CVE-2026-13295, Page Builder by SiteOrigin <= 2.34.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via panels_data Parameter, EUVD-2026-39955]
Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.
Safer / more established alternatives
- Elementor Website Builder – more than just a page builder — 10000000+ active installs — max PHP 8.4
- Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode — 700000+ active installs — max PHP <8.0
- Kadence Blocks — Page Builder Toolkit for Gutenberg Editor — 600000+ active installs — max PHP 8.4
- Kirki – Freeform Page Builder, Website Builder & Customizer — 500000+ active installs — max PHP <8.0
- Page Builder: Pagelayer – Drag and Drop website builder — 400000+ active installs
Check your own WordPress site
Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.