The Page Builder by SiteOrigin WordPress plugin was subject to vulnerabilities that exposed websites to code execution attacks.
Developed by Greg Priday, Page Builder by SiteOrigin is a drag-and-drop page creation plugin used for creating mobile-ready content. The software is actively installed on over one million websites.
The Wordfence Threat Intelligence team discovered the bugs on May 4. Both of the vulnerabilities in the plugin "allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator's browser," according to the researchers, although an admin did need to click a malicious link or attachment to trigger the attack chain.
The issues have yet to be assigned CVE numbers. However, both are deemed critical.
The first vulnerability, a cross-site request forgery (CSRF) to reflected cross-site scripting (XSS) vulnerability, was found in the plugin's live editor feature.
The live editor is used to create and update post content, as well as drag and drop widgets. Changes made to content are sent via a POST parameter and checks in metadata functions are performed to make sure users have permission to edit posts. However, there were no nonce protections in place.
An additional cross-site request forgery problem was found in the action_builder_content function of the plugin, connected to the AJAX action wp_ajax_so_panels_builder_content.
The function is used to transmit content submitted from the live editor to the standard Wordpress editor in order to update or publish posts. While permissions checks were established to make sure users had the required permissions for post_id, there was no validation of where the request came from, thereby leading to the CSRF issue.
"As with the previously mentioned CSRF to reflected XSS vulnerability, this could ultimately be used to redirect a site's administrator, create a new administrative user account, or, as seen in the recent attack campaign targeting XSS vulnerabilities, be used to inject a backdoor on a site," the team notes.
The security flaws were disclosed to the developer on the same day of discovery, May 4. Priday acknowledged the report and had a patch ready and released within 24 hours.
Wordfence thanked the developer "for an extremely prompt response and for releasing a patch very quickly."
The latest version of the plugin, v. 2.10.16, has resolved the issues. At the time of writing, 66.6% of all users have updated their builds. It is recommended that users make sure they are up-to-date.
Previous and related coverage
- Zeus Sphinx revamped as coronavirus relief payment attack wave continues
- Logistics giant Toll Group hit by ransomware for the second time in three months
- Major European private hospital operator struck by ransomware
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0