Two high-severity vulnerabilities addressed recently in SiteOrigin’s Page Builder WordPress plugin could allow an attacker to execute code in a website administrator’s browser.
A page creation plugin, Page Builder by SiteOrigin helps users create column-based content that can adapt to mobile devices, and also provides them with support for the most common widgets. The plugin has more than 1 million active installations.
Both of the newly patched security flaws have been described as “Cross-Site Request Forgery (CSRF) to Reflected Cross-Site Scripting (XSS)” issues and both of them feature a CVSS score of 8.8, according to researchers at WordPress security firm Defiant.
The first bug was identified in the plugin’s built-in live editor, which allows users to follow in real-time updates made to content or widgets.
While there are checks in place to verify that the user is in the live editor, and that the user is allowed to edit posts, the plugin did not include a nonce protection to verify whether attempts to render content in the live editor came from legitimate sources or not.
This allowed an attacker to leverage some of the available widgets, such as the “Custom HTML” widget, to inject JavaScript code into a rendered live page.
“If a site administrator was tricked into accessing a crafted live preview page, any malicious JavaScript included as part of the ‘Custom HTML’ widget could be executed in the browser. The data associated with a live preview was never stored in the database, resulting in a reflected XSS flaw rather than stored XSS flaw, in conjunction with the CSRF flaw,” Defiant explains.
The second issue resides in the plugin’s action_builder_content function, which is related to transmitting content from the live editor to publish the changes. Similarly with the first issue, it existed because no nonce protection was in place to check the source of a request.
“We discovered that the ‘Text’ widget could be used to inject malicious JavaScript due to the ability to edit content in a ‘text’ mode rather than a ‘visual’ mode. This allowed potentially malicious JavaScript to be sent unfiltered. Due to the widget data being echoed, any malicious code that was a part of the text widgets data could then be executed as part of a combined CSRF to XSS attack in a victim’s browser,” Defiant writes in a blog post.
The company has published a video to demonstrate the exploit, and explained that an attacker could abuse these flaws to redirect the administrator, create a new admin user, or inject a backdoor into the site.
Both vulnerabilities were addressed with the release of Page Builder by SiteOrigin version 2.10.16. All site admins are advised to update to the patched version as soon as possible.
Related: Elementor Plugin Vulnerabilities Exploited to Hack WordPress Sites
Related: Flaws in Ninja Forms, LearnPress Plugins Exposed WordPress Sites to Attacks
Related: Code Injection Vulnerability Found in ‘Real-Time Find and Replace’ WordPress Plugin