CVE-2026-2448
Published: 03 March 2026
Summary
CVE-2026-2448 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, directly addressing this LFI vulnerability by updating the Page Builder plugin beyond version 2.33.5.
SI-10 enforces validation of information inputs like file paths in locate_template(), preventing arbitrary file inclusion and PHP code execution.
AC-6 least privilege limits Contributor-level access, reducing the attack surface by restricting who can upload files or trigger the vulnerable function.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The LFI vulnerability in the WordPress plugin enables authenticated remote attackers to include and execute arbitrary server files as PHP code, directly facilitating exploitation of a public-facing web application.
NVD Description
The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.5 via the locate_template() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include…
more
and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Deeper analysisAI
CVE-2026-2448 is a Local File Inclusion (LFI) vulnerability, classified under CWE-22, affecting the Page Builder by SiteOrigin plugin for WordPress in all versions up to and including 2.33.5. The flaw resides in the locate_template() function, which enables the inclusion and execution of arbitrary files on the server. Published on 2026-03-03, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for confidentially, integrity, and availability impacts.
Authenticated attackers with Contributor-level access or higher can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows inclusion and execution of arbitrary PHP code from included files, enabling attackers to bypass access controls, exfiltrate sensitive data, or achieve remote code execution. This is particularly potent in scenarios where "safe" file types, such as images, can be uploaded and then targeted for inclusion.
Mitigation details are available in advisories referenced by Wordfence threat intelligence and the plugin's source code at line 576 in post-loop.php of version 2.33.5. Security practitioners should ensure the plugin is updated beyond version 2.33.5 and review access controls for Contributor roles on affected WordPress sites.
Details
- CWE(s)