WordPress plugin ‘Page Builder’ by SiteOrigin was revealed to vulnerabilities that exposed websites to code execution attacks. The plugin that was developed by Greg Priday is a drag-and-drop page production plugin utilized for building mobile-ready content. The software is currently installed on over one million websites.
On May 4 the Wordfence Threat Intelligence team found the bugs. Both of the vulnerabilities in the plugin lets attackers duplicate requests on part of a site administrator and perform malicious code in the administrator’s browser, as per the researchers, an admin still require to click a malicious link or attachment to trigger the attack chain. The problems have still to be allocated CVE numbers. However, both are considered severe.
The first vulnerability, a cross-site request fraud (CSRF) to followed cross-site scripting (XSS) vulnerability, was discovered in the plugin’s live editor feature.
The live editor is utilized to drag and drop widgets as well as generate and update post content. Alterations done to content are sent through a POST parameter and checks in metadata functions are executed to ensure users have the authority to edit posts. Yet, there were no protections in place.
As a result, few widgets consisting of “Custom HTML” could be practiced to inject malicious JavaScript into an executed live page. If a crafted live preview page carrying this compromised widget was obtained by an administrator, this headed to the CSRF / reflected XSS flaw.
The security defects were revealed to the developer on the same day of discovery, May 4. Priday confirmed the report and had a patch available which was issued within 24 hours. Wordfence appreciated the developer for a remarkably quick response and for issuing the patch very swiftly.
The newest version of the plugin, v. 2.10.16, has fixed the issues. 66.6% of all users have updated their builds. It is suggested that users make certain they are up-to-date.
