Severe CSRF to XSS bugs open the door to code execution and complete website compromise. Page Builder by SiteOrigin, a WordPress plugin with a million active installs that’s used to build websites via a drag-and-drop function, harbors two flaws that can allow full site takeover. According to researchers at WordPress, both security bugs can lead to cross-site request forgery (CSRF) and reflected cross-site scripting (XSS). They “allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser,” according to Wordfence researchers, in a Monday posting. They assigned both flaws a severity rating of 8.8 out of 10, but no CVEs have yet been assigned.