Cyber Resilience

CVE-2026-2448

High

Published: 03 March 2026

Published
03 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0089 54.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-2448 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2448 is a Local File Inclusion (LFI) vulnerability, classified under CWE-22, affecting the Page Builder by SiteOrigin plugin for WordPress in all versions up to and including 2.33.5. The flaw resides in the locate_template() function, which enables the inclusion and execution of arbitrary files on the server. Published on 2026-03-03, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for confidentially, integrity, and availability impacts.

Authenticated attackers with Contributor-level access or higher can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows inclusion and execution of arbitrary PHP code from included files, enabling attackers to bypass access controls, exfiltrate sensitive data, or achieve remote code execution. This is particularly potent in scenarios where "safe" file types, such as images, can be uploaded and then targeted for inclusion.

Mitigation details are available in advisories referenced by Wordfence threat intelligence and the plugin's source code at line 576 in post-loop.php of version 2.33.5. Security practitioners should ensure the plugin is updated beyond version 2.33.5 and review access controls for Contributor roles on affected WordPress sites.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.5 via the locate_template() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include…

more

and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The LFI vulnerability in the WordPress plugin enables authenticated remote attackers to include and execute arbitrary server files as PHP code, directly facilitating exploitation of a public-facing web application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2505Shared CWE-22
CVE-2026-5841Shared CWE-22
CVE-2026-33242Shared CWE-22
CVE-2026-33292Shared CWE-22
CVE-2026-35605Shared CWE-22
CVE-2025-53632Shared CWE-22
CVE-2025-8110Shared CWE-22
CVE-2026-8757Shared CWE-22
CVE-2025-7712Shared CWE-22
CVE-2026-31817Shared CWE-22

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely flaw remediation, directly addressing this LFI vulnerability by updating the Page Builder plugin beyond version 2.33.5.

prevent

SI-10 enforces validation of information inputs like file paths in locate_template(), preventing arbitrary file inclusion and PHP code execution.

prevent

AC-6 least privilege limits Contributor-level access, reducing the attack surface by restricting who can upload files or trigger the vulnerable function.

References