Two Vulnerabilities found in Page Builder By SiteOrigin, a plugin actively installed on over 1,000,000 WordPress websites.
SiteOrigin Page Builder is the most popular page creation plugin for WordPress websites. It makes it easy to create responsive column based content, using the widgets you know and love, and your content will accurately adapt to all mobile devices, ensuring your site is mobile-ready.
The Wordfence Threat Intelligence team found Two vulnerabilities in Page Builder By SiteOrigin. Both of these flaws allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser. The attacker needs to trick a site administrator into executing an action, like clicking a link or an attachment, for the attack to succeed.
What Vulnerabilities Can Do?
The Wordfence security team found Cross-Site Request Forgery flaw in the action_builder_content function of the plugin. With this function, the “Custom HTML” widget did not create an XSS flaw in the same way as the previous vulnerability due to some sanitization features.
This flaw could be used to redirect a site’s administrator, create a new administrative user account.
- May 4, 2020 – Initial discovery and analysis of vulnerabilities. We verify the Wordfence built-in XSS firewall rule offers sufficient protection. Initial outreach to the plugin’s team.
- May 4, 2020 – Plugin’s developer confirms appropriate channel and we provide full disclosure.
- May 5, 2020 – Developer acknowledges vulnerabilities and advises that they should have a patch released later in the day.
- May 5, 2020 – A sufficient patch is released.
Vulnerability Fixed – Update Now
If you are using Page Builder plugin then you need to update it now. Wordfence team are considered high-risk security issues that could lead to full site takeover and recommending an immediate update of Page Builder by SiteOrigin to the latest version available. At the time of writing, that is version 2.10.16.