The WordFence Threat Intelligence team has discovered two high severity vulnerabilities in SiteOrigin’s plugin Page Builder that can be exploited by hackers to create new admin accounts, plant backdoors and even take over compromised websites.
The popular WordPress plugin is installed on over 1m sites and the vulnerabilities in Page Builder version 2.10.15 and below are a Cross-Site Request Forgery (CSRF) that can lead to Reflected Cross-Site Scripting (XSS) attacks.
To exploit these vulnerabilities, an attacker needs to trick a site administrator into clicking on a specially crafted link or attachment in order to execute malicious code in their browsers.
The Page Builder plugin allows WordPress users to easily build “responsive column based content” using both widgets from WordPress and widgets from SiteOrigin’s Widgets Bundle plugin. The plugin also includes a built-in live editor which allows users to update content and drag/drop widgets in real time.
Page Builder vulnerabilities
After discovering the two high severity vulnerabilities in its WordPress plugin, WordFence contacted Site Origin and the developer quickly released a patch the following day.
In a blog post describing the vulnerabilities, WordFence’s Chloe Chamberland explained just how dangerous using an older version of the plugin can be for site owners, saying:
“This flaw could be used to redirect a site’s administrator, create a new administrative user account, or, as seen in the recent attack campaign targeting XSS vulnerabilities, be used to inject a backdoor on a site.”
A skilled attacker can even fully take over compromised WordPress sites after they have created rogue admin accounts and planted backdoors to maintain access.
At the time of writing, just over 250,000 of Page Builder’s 1m users have updated the plugin to the latest version, 2.10.16. If your site uses this plugin, it is highly recommended that you update it immediately to prevent falling victim to any attacks that capitalize on the two high severity vulnerabilities in Page Builder 2.10.15 and below.
Via BleepingComputer
