Connect with us

Hi, what are you looking for?



Vulnerabilities in ‘Page Builder’ Plugin Expose 1 Million WordPress Websites

Two high-severity vulnerabilities addressed recently in SiteOrigin’s Page Builder WordPress plugin could allow an attacker to execute code in a website administrator’s browser.

Two high-severity vulnerabilities addressed recently in SiteOrigin’s Page Builder WordPress plugin could allow an attacker to execute code in a website administrator’s browser.

A page creation plugin, Page Builder by SiteOrigin helps users create column-based content that can adapt to mobile devices, and also provides them with support for the most common widgets. The plugin has more than 1 million active installations.

Both of the newly patched security flaws have been described as “Cross-Site Request Forgery (CSRF) to Reflected Cross-Site Scripting (XSS)” issues and both of them feature a CVSS score of 8.8, according to researchers at WordPress security firm Defiant.

The first bug was identified in the plugin’s built-in live editor, which allows users to follow in real-time updates made to content or widgets.

While there are checks in place to verify that the user is in the live editor, and that the user is allowed to edit posts, the plugin did not include a nonce protection to verify whether attempts to render content in the live editor came from legitimate sources or not.

This allowed an attacker to leverage some of the available widgets, such as the “Custom HTML” widget, to inject JavaScript code into a rendered live page.

“If a site administrator was tricked into accessing a crafted live preview page, any malicious JavaScript included as part of the ‘Custom HTML’ widget could be executed in the browser. The data associated with a live preview was never stored in the database, resulting in a reflected XSS flaw rather than stored XSS flaw, in conjunction with the CSRF flaw,” Defiant explains.

Advertisement. Scroll to continue reading.

The second issue resides in the plugin’s action_builder_content function, which is related to transmitting content from the live editor to publish the changes. Similarly with the first issue, it existed because no nonce protection was in place to check the source of a request.

“We discovered that the ‘Text’ widget could be used to inject malicious JavaScript due to the ability to edit content in a ‘text’ mode rather than a ‘visual’ mode. This allowed potentially malicious JavaScript to be sent unfiltered. Due to the widget data being echoed, any malicious code that was a part of the text widgets data could then be executed as part of a combined CSRF to XSS attack in a victim’s browser,” Defiant writes in a blog post.

The company has published a video to demonstrate the exploit, and explained that an attacker could abuse these flaws to redirect the administrator, create a new admin user, or inject a backdoor into the site.

Both vulnerabilities were addressed with the release of Page Builder by SiteOrigin version 2.10.16. All site admins are advised to update to the patched version as soon as possible.

Related: Elementor Plugin Vulnerabilities Exploited to Hack WordPress Sites

Related: Flaws in Ninja Forms, LearnPress Plugins Exposed WordPress Sites to Attacks

Related: Code Injection Vulnerability Found in ‘Real-Time Find and Replace’ WordPress Plugin

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.