Two vulnerabilities (one critical) in a WordPress plugin called Orbit Fox could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.
Orbit Fox is a multi-featured WordPress plugin that works with the Elementor, Beaver Builder and Gutenberg site-building utilities. It allows site administrators to add features such as registration forms and widgets. The plugin, from a developer called ThemeIsle, has been installed by 400,000+ sites.
According to researchers at Wordfence, the first flaw (CVEs are pending) is an authenticated privilege-escalation flaw that carries a CVSS bug-severity score of 9.9, making it critical. Authenticated attackers with contributor level access or above can elevate themselves to administrator status and potentially take over a WordPress site.
The second bug meanwhile is an authenticated stored cross-site scripting (XSS) issue that allows attackers with contributor or author level access to inject JavaScript into posts. This injection could be used to redirect visitors to malvertising sites or create new administrative users, among other actions. It’s rated 6.4 on the CVSS scale, making it medium severity.
Privilege Escalation
The privilege-escalation bug exists in the Orbit Fox registration widget, according to researchers.
The widget is used to create registration forms with customizable fields when using the Elementor and Beaver Builder page-builder plugins. Site administrators can set a default role to be assigned to users who register on the site using the form.
“Lower-level users like contributors, authors, and editors were not shown the option to set the default user role from the editor. However, we found that they could still modify the default user role by crafting a request with the appropriate parameter,” Wordfence researchers explained, in a Tuesday posting. “The plugin provided client-side protection to prevent the role selector from being shown to lower-level users while adding a registration form. Unfortunately, there were no server-side protections or validation to verify that an authorized user was actually setting the default user role in a request.”
Server-side validation happens when data is sent to the server as a user enters it into a form. Once the server receives the request, it will then check for security issues, ensure that data is formatted correctly and prepare the submission for inserting or updating to a data source.
The lack of server-side validation in Orbit Fox means that lower-level contributors, authors and editors for the site could set the user role to that of an administrator upon successful registration – so, all attackers would need to do is register themselves as new users and would then be granted administrator privileges.
“To exploit this flaw, user registration would need to be enabled and the site would need to be running the Elementor or Beaver Builder plugins,” according to Wordfence. “A site with user registration disabled or neither of these plugins installed would not be affected by this vulnerability.”
Stored XSS
The medium-severity issue arises because contributors and authors are able to add scripts to posts, despite not having the unfiltered_html capability due to the header and footer script feature in Orbit Fox, according to Wordfence.
“This flaw allowed lower-level users to add malicious JavaScript to posts that would execute in the browser whenever a user navigated to that page,” researchers explained. “As always with XSS vulnerabilities, this would make it possible for attackers to create new administrative users, inject malicious redirects and backdoors, or alter other site content through the use of malicious JavaScript.”
Both problems are patched in version 2.10.3; those sites running versions of Orbit Fox 2.10.2 and below should update as soon as possible.
WordPress Plugin Problems
The Orbit Fox bugs are the latest in the line of faulty WordPress plugins that have come in recent months.
In October, two high-severity vulnerabilities in Post Grid, a WordPress plugin with more than 60,000 installations, were found to open the door to site takeovers. To boot, nearly identical bugs are also found in Post Grid’s sister plug-in, Team Showcase, which has 6,000 installations.
In September, a high-severity flaw in the Email Subscribers & Newsletters plugin by Icegram was found to affect more than 100,000 WordPress websites.
Earlier, in August, a plugin that is designed to add quizzes and surveys to WordPress websites patched two critical vulnerabilities. The flaws could be exploited by remote, unauthenticated attackers to launch varying attacks – including fully taking over vulnerable websites. Also in August, Newsletter, a WordPress plugin with more than 300,000 installations, was discovered to have a pair of vulnerabilities that could lead to code-execution and even site takeover.
And, researchers in July warned of a critical vulnerability in a WordPress plugin called Comments – wpDiscuz, which is installed on more than 70,000 websites. The flaw gave unauthenticated attackers the ability to upload arbitrary files (including PHP files) and ultimately execute remote code on vulnerable website servers.
Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m. ET.