WordPress plugin Page Builder by SiteOrigin was updated on May 5^th with a patch preventing two separate high severity vulnerabilities discovered by Wordfence. For a site or its administrator to be affected, an administrator must be tricked into clicking a link to the site’s live editor that contains malicious JavaScript in the “Custom HTML” widget which would then be executed in the browser. This can cause the administrator to unwittingly perform actions on the site (this is known as Cross-Site Request Forgery or CSRF) such as creating new accounts with full access, redirecting the victim elsewhere or injecting a backdoor. Because the live preview is never saved to a database, this part of the attack is known as “reflected Cross-Site Scripting” (reflected XSS). An additional CSRF vulnerability was found in another function of the plugin responsible for updating posts using data from the live editor. Although it checked for user permissions before updating a specific post, it did not contain a nonce to verify the request.