WordPress plugin Page Builder by SiteOrigin was updated on May 5th with a patch preventing two separate high severity vulnerabilities discovered by Wordfence. For a site or its administrator to be affected, an administrator must be tricked into clicking a link to the site’s live editor that contains malicious JavaScript in the “Custom HTML” widget which would then be executed in the browser. This can cause the administrator to unwittingly perform actions on the site (this is known as Cross-Site Request Forgery or CSRF) such as creating new accounts with full access, redirecting the victim elsewhere or injecting a backdoor. Because the live preview is never saved to a database, this part of the attack is known as “reflected Cross-Site Scripting” (reflected XSS). An additional CSRF vulnerability was found in another function of the plugin responsible for updating posts using data from the live editor. Although it checked for user permissions before updating a specific post, it did not contain a nonce to verify the request.
Analyst Notes
Binary Defense analysts frequently observe compromised WordPress sites being used to host malware or launch other attacks. WordPress site owners should keep up-to-date with announced vulnerabilities and patches for WordPress and every plugin used by their site. The developers of Page Builder responded to the Wordfence disclosure and patched these vulnerabilities within a day. Binary Defense highly recommends all sites utilizing the plugin to update to version 2.10.16 as soon as possible. All prior versions are potentially vulnerable. Binary Defense also recommends performing regular account audits to ensure that only expected accounts exist with only the required permissions. File integrity monitoring (FIM) is also another great way to quickly detect if any file has modified or added to a site’s installation directory.
Source: https://www.wordfence.com/blog/2020/05/vulnerabilities-patched-in-page-builder-by-siteorigin-affects-over-1-million-sites/
