Yet more WordPress plugin flaws undermine website security
Two high severity flaws have been discovered in SiteOrigin’s Page Builder plugin
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
The WordFence Threat Intelligence team has discovered two high severity vulnerabilities in SiteOrigin’s plugin Page Builder that can be exploited by hackers to create new admin accounts, plant backdoors and even take over compromised websites.
The popularWordPress pluginis installed on over 1m sites and the vulnerabilities in Page Builder version 2.10.15 and below are a Cross-Site Request Forgery (CSRF) that can lead to Reflected Cross-Site Scripting (XSS) attacks.
To exploit these vulnerabilities, an attacker needs to trick a site administrator into clicking on a specially crafted link or attachment in order to execute malicious code in their browsers.
The Page Builder plugin allows WordPress users to easily build “responsive column based content” using both widgets from WordPress and widgets from SiteOrigin’s Widgets Bundle plugin. The plugin also includes a built-in live editor which allows users to update content and drag/drop widgets in real time.
Page Builder vulnerabilities
After discovering the two high severity vulnerabilities in its WordPress plugin,WordFencecontacted Site Origin and the developer quickly released a patch the following day.
In ablog postdescribing the vulnerabilities, WordFence’s Chloe Chamberland explained just how dangerous using an older version of the plugin can be for site owners, saying:
“This flaw could be used to redirect a site’s administrator, create a new administrative user account, or, as seen in the recent attack campaign targeting XSS vulnerabilities, be used to inject a backdoor on a site.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
A skilled attacker can even fully take over compromised WordPress sites after they have createdrogue admin accountsand planted backdoors to maintain access.
At the time of writing, just over 250,000 of Page Builder’s 1m users have updated the plugin to the latest version, 2.10.16. If your site uses this plugin, it is highly recommended that you update it immediately to prevent falling victim to any attacks that capitalize on the two high severity vulnerabilities in Page Builder 2.10.15 and below.
ViaBleepingComputer
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)
