Two recently repaired high security vulnerabilities in the SiteOrigin WordPress Page Builder plugin can allow an attacker to execute code in the site administrator’s browser.
SiteOrigin’s Page Generator helps users create column content that can be customized for mobile devices and also supports the most popular widgets. The plugin has more than one million active installations.
The two new security solutions have been described as Cross-Site Request Forgery (CSRF) to display the Cross-Site Scripting (XSS), and both have a CVSS score of 8.8, according to researchers from the security company WordPress Defiant.
The first bug was found in the plugin’s built-in live editor, which allows users to track content or widget updates in real time.
Although there are checks to confirm that the user is in the real editor and is authorized to edit messages, the plugin has no protection against unauthorized access to verify whether or not attempts to retrieve content from the real editor are from legitimate sources.
The second release – the action_builder_content function of the plugin, which is linked to transferring content from a live editor to publish changes. As with the first question, it existed because there was no protection to verify the source of the application.
The company has released a video demonstrating the operation and explaining that an attacker can use these loopholes to redirect an administrator, create a new user administrator or set up a backdoor to the site.
Both vulnerabilities have been fixed with the release of version 2.10.16 of Page Builder by SiteOrigin. All site administrators are advised to upgrade to the corrected version as soon as possible.
That’s what it looks like: Vulnerability of article plug-ins used to hack WordPress sites
That’s what it looks like: Ninja form deficiencies, LearnPress plug-ins WordPress sites exposed to attacks
That’s what it looks like: Vulnerability to code injection found in the WordPress Real-Time Find and Replace plugin.
Ionat Argir is the international correspondent for Security Week.
Previous chronicles of Ionat Argir: