CVE-2020-13642

Name of the Vulnerable Software and Affected Versions SiteOrigin Page Builder plugin versions prior to 2.10.16

Description An issue was discovered in the SiteOrigin Page Builder plugin, where the action builder content function did not perform nonce verification, allowing requests to be forged on behalf of an administrator. The panels data $ POST variable allows for malicious JavaScript to be executed in the victim's browser.

Recommendations For versions prior to 2.10.16, update to version 2.10.16 or later to resolve the issue. As a temporary workaround, consider restricting access to the action builder content function until a patch is available. Avoid using the panels data variable in the affected plugin until the issue is resolved.