Two recently repaired high security vulnerabilities in the SiteOrigin WordPress Page Builder plugin can allow an attacker to execute code in the site administrator’s browser.

SiteOrigin’s Page Generator helps users create column content that can be customized for mobile devices and also supports the most popular widgets. The plugin has more than one million active installations.

The two new security solutions have been described as Cross-Site Request Forgery (CSRF) to display the Cross-Site Scripting (XSS), and both have a CVSS score of 8.8, according to researchers from the security company WordPress Defiant.

The first bug was found in the plugin’s built-in live editor, which allows users to track content or widget updates in real time.

Although there are checks to confirm that the user is in the real editor and is authorized to edit messages, the plugin has no protection against unauthorized access to verify whether or not attempts to retrieve content from the real editor are from legitimate sources.

This allowed an attacker to use some of the available widgets, such as the custom HTML widget, to insert JavaScript code into the displayed page.

If the site administrator were to access the live preview page that was created, any malicious JavaScript contained in the user’s HTML widget could be executed in the browser. The data related to the real-time preview was never stored in the database, resulting in a reflected XSS error instead of a stored XSS error combined with a CSRF error, Defiant explains.

The second release – the action_builder_content function of the plugin, which is linked to transferring content from a live editor to publish changes. As with the first question, it existed because there was no protection to verify the source of the application.

We discovered that the text widget can be used to introduce malicious JavaScript by allowing the content to be edited in text mode instead of visual mode. This allowed potentially malicious JavaScript to be sent without filtering. Using the widget’s echo data, any malicious code in the widget’s text data can be run as part of a combined CSRF – an XSS attack in the victim’s browser, Defiant writes in his blog post.

The company has released a video demonstrating the operation and explaining that an attacker can use these loopholes to redirect an administrator, create a new user administrator or set up a backdoor to the site.

Both vulnerabilities have been fixed with the release of version 2.10.16 of Page Builder by SiteOrigin. All site administrators are advised to upgrade to the corrected version as soon as possible.

That’s what it looks like: Vulnerability of article plug-ins used to hack WordPress sites

That’s what it looks like: Ninja form deficiencies, LearnPress plug-ins WordPress sites exposed to attacks

That’s what it looks like: Vulnerability to code injection found in the WordPress Real-Time Find and Replace plugin.

Vulnerabilities in the ‘Page Builder’ plugin Expose 1 Million WordPress sites

Vulnerabilities in the ‘Page Builder’ plugin Expose 1 Million WordPress sites

Vulnerabilities in the ‘Page Builder’ plugin Expose 1 Million WordPress sites

Ionat Argir is the international correspondent for Security Week.

Previous chronicles of Ionat Argir:

Vulnerabilities in the ‘Page Builder’ plugin Expose 1 Million WordPress sitesKeywords:

Share: