Page Builder by SiteOrigin, a WordPress plugin with a million active installs that’s used to build websites via a drag-and-drop function, harbors two flaws that can allow full site takeover.
According to researchers at WordPress, both security bugs can lead to cross-site request forgery (CSRF) and reflected cross-site scripting (XSS). They “allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser,” according to Wordfence researchers, in a Monday posting.
They assigned both flaws a severity rating of 8.8 out of 10, but no CVEs have yet been assigned.
Inside the Bugs
If exploited, both bugs could be used to redirect a site’s administrator, create a new administrative user account or inject a backdoor on a site.
The first issue lies in the built-in live editor within the plugin – this feature lets users update content and drag/drop widgets, while gaining a real-time view of the changes on the given website.
“In order to show the modifications in real time through the live editor, the plugin registers the is_live_editor() function to check if a user is in the live editor,” explained Wordfence researchers. “If the user is in the live editor, the siteorigin_panels_live_editor parameter will be set to ‘true’ and register that a user is accessing the live editor. The plugin will then attempt to include the live editor file which renders all of the content.”
This “live-editor-preview.php” rendering file thus updates the page preview with changes made, in real-time.
The problem is that there is no nonce protection to verify that an attempt to render content in the live editor came from a legitimate source, according to Wordfence.
“Some of the available widgets, such as the ‘Custom HTML’ widget, could be used to inject malicious JavaScript into a rendered live page,” the researchers wrote. “If a site administrator was tricked into accessing a crafted live preview page, any malicious JavaScript included as part of the Custom HTML widget could be executed in the browser.”
The data associated with a live preview was never stored in the database, resulting in a reflected XSS flaw rather than stored XSS flaw, in conjunction with the CSRF flaw.
A second flaw is also a CRSF to XSS issue, this time in the action_builder_content function of the plugin, which is tied to the AJAX action wp_ajax_so_panels_builder_content.
“This function’s purpose was to transmit content submitted as panels_data from the live editor to the WordPress editor in order to update or publish the post using the content created from the live editor,” the researchers said. “This function did have a permissions check to verify that a user had the capability to edit posts for the given post_id. However, there was no nonce protection to verify the source of a request, causing the CSRF flaw.”
In testing exploits, the researchers found that the “Text” widget could be used to inject malicious JavaScript due to the ability to edit content in a “text” mode rather than a “visual” mode.
“This allowed potentially malicious JavaScript to be sent unfiltered,” according to Wordfence. “Due to the widget data being echoed, any malicious code that was a part of the text widgets data could then be executed as part of a combined CSRF to XSS attack in a victim’s browser.”
Patches
The bugs affect Page Builder by SiteOrigin version 2.10.15 and below; to avoid full site takeover, admins should upgrade their plugins to version 2.10.16.
It should also be noted that an attacker needs to trick a site administrator into executing an action, like clicking a link or an attachment, for the attack to succeed.
WordPress plugins continue to be plagued with vulnerabilities. Last month, it was revealed that legions of website visitors could be infected with drive-by malware, among other issues, thanks to a CSRF bug in Real-Time Search and Replace.
Also in April, a pair of security vulnerabilities (one of them critical) in the WordPress search engine optimization (SEO) plugin known as Rank Math, were found. They could allow remote cybercriminals to elevate privileges and install malicious redirects onto a target site, according to researchers. RankMath is a WordPress plugin with more than 200,000 installations.
In March, a critical vulnerability in a WordPress plugin known as “ThemeREX Addons” was found that could open the door for remote code execution in 44,000 websites.
Also in March, two vulnerabilities – including a high-severity flaw – were patched in a popular WordPress plugin called Popup Builder. The more severe flaw could enable an unauthenticated attacker to infect malicious JavaScript into a popup – potentially opening up more than 100,000 websites to takeover.
And in February, popular WordPress plugin Duplicator, which has more than 1 million active installations, was discovered to have an unauthenticated arbitrary file download vulnerability that was being attacked. And, earlier that month, a critical flaw in a popular WordPress plugin that helps make websites compliant with the General Data Protection Regulation (GDPR) was disclosed. The flaw could enable attackers to modify content or inject malicious JavaScript code into victim websites. It affected 700,000 sites.
Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.
Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.