WordPress plugin Page Builder by SiteOrigin patched against code execution attacks

The vulnerabilities impacted over one million websites.
Written by Charlie Osborne, Contributing Writer

The Page Builder by SiteOrigin WordPress plugin was subject to vulnerabilities that exposed websites to code execution attacks. 

Developed by Greg Priday, Page Builder by SiteOrigin is a drag-and-drop page creation plugin used for creating mobile-ready content. The software is actively installed on over one million websites. 

The Wordfence Threat Intelligence team discovered the bugs on May 4. Both of the vulnerabilities in the plugin "allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator's browser," according to the researchers, although an admin did need to click a malicious link or attachment to trigger the attack chain. 

See also: Best encryption software for business in 2020: BitLocker, FileVault, Guardium, and more

The issues have yet to be assigned CVE numbers. However, both are deemed critical. 

The first vulnerability, a cross-site request forgery (CSRF) to reflected cross-site scripting (XSS) vulnerability, was found in the plugin's live editor feature. 

The live editor is used to create and update post content, as well as drag and drop widgets. Changes made to content are sent via a POST parameter and checks in metadata functions are performed to make sure users have permission to edit posts. However, there were no nonce protections in place. 

As a result, some widgets including "Custom HTML" could be used to inject malicious JavaScript into a rendered live page. If a crafted live preview page containing this compromised widget was accessed by an administrator, this led to the CSRF / reflected XSS flaw. 

An additional cross-site request forgery problem was found in the action_builder_content function of the plugin, connected to the AJAX action wp_ajax_so_panels_builder_content.

The function is used to transmit content submitted from the live editor to the standard Wordpress editor in order to update or publish posts. While permissions checks were established to make sure users had the required permissions for post_id, there was no validation of where the request came from, thereby leading to the CSRF issue. 

CNET: COVID-19 could set a new norm for surveillance and privacy

This vulnerability differs as the XSS flaw was triggered in the "text" widget through the input of JavaScript which is not filtered if content is edited in "text" rather than "visual" mode. 

"As with the previously mentioned CSRF to reflected XSS vulnerability, this could ultimately be used to redirect a site's administrator, create a new administrative user account, or, as seen in the recent attack campaign targeting XSS vulnerabilities, be used to inject a backdoor on a site," the team notes. 

The security flaws were disclosed to the developer on the same day of discovery, May 4. Priday acknowledged the report and had a patch ready and released within 24 hours. 

TechRepublic: Kaspersky: 73% of workers have received no cybersecurity guidance

Wordfence thanked the developer "for an extremely prompt response and for releasing a patch very quickly."

The latest version of the plugin, v. 2.10.16, has resolved the issues. At the time of writing, 66.6% of all users have updated their builds. It is recommended that users make sure they are up-to-date. 

Cybersecurity reads for every hacker's bookshelf

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards