Page Builder by SiteOrigin, a WordPress plugin with a million active installs, harbors two flaws that can allow full site takeover. Both bugs can lead to cross-site request forgery (CSRF) and reflected XSS (XSS) If exploited, both bugs could be used to redirect a site s administrator, create a new administrative user account or inject a backdoor on a site. Wordfence researchers assigned both flaws a severity rating of 8.8 out of 10, but no CVEs have yet been assigned.
Source: https://threatpost.com/wordpress-page-builder-bugs-takeover/155659/