Two high-severity vulnerabilities addressed recently in SiteOrigin’s Page Builder WordPress plugin could allow an attacker to execute code in a website administrator’s browser.
A page creation plugin, Page Builder by SiteOrigin helps users create column-based content that can adapt to mobile devices, and also provides them with support for the most common widgets. The plugin has more than 1 million active installations.
Both of the newly patched security flaws have been described as “Cross-Site Request Forgery (CSRF) to Reflected Cross-Site Scripting (XSS)” issues and both of them feature a CVSS score of 8.8, according to researchers at WordPress security firm Defiant.
The first bug was identified in the plugin’s built-in live editor, which allows users to follow in real-time updates made to content or widgets.
While there are checks in place to verify that the user is in the live editor, and that the user is allowed to edit posts, the plugin did not include a nonce protection to verify whether attempts to render content in the live editor came from legitimate sources or not.
The second issue resides in the plugin’s action_builder_content function, which is related to transmitting content from the live editor to publish the changes. Similarly with the first issue, it existed because no nonce protection was in place to check the source of a request.
The company has published a video to demonstrate the exploit, and explained that an attacker could abuse these flaws to redirect the administrator, create a new admin user, or inject a backdoor into the site.
Both vulnerabilities were addressed with the release of Page Builder by SiteOrigin version 2.10.16. All site admins are advised to update to the patched version as soon as possible.