A stored XSS and arbitrary file-upload bug can be paired with an authorization bypass to wreak havoc.
Vulnerabilities in the Brizy Web page Builder plugin for WordPress sites could be chained with each other to permit attackers to completely take around a web site, according to scientists.
Brizy (or Brizy – Web site Builder) has been set up on much more than 90,000 web-sites. It is billed as an intuitive internet site builder for those without the need of technological skills. It will come with a assortment of a lot more than 500 pre-created blocks, maps and video clip integration and drag-and-fall layout features. In accordance to scientists, it also arrived with a stored cross-site scripting (XSS) issue and an arbitrary file-add vulnerability prior to edition 2.3.17.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
These two bugs, when blended with yet another flaw that will allow authorization bypass and privilege escalation, can turn into risky, Wordfence scientists cautioned.
“During a regimen assessment of our firewall rules, we observed targeted traffic indicating that a vulnerability may possibly be current in the Brizy – Page Builder plugin, nevertheless it did not show up to be less than energetic attack,” scientists at Wordfence described in a Wednesday submitting. “This led us to uncover two new vulnerabilities as nicely as a formerly patched entry-command vulnerability in the plugin that had been reintroduced.”
The two fresh new bugs can both of those be chained with the re-launched accessibility regulate vulnerability to let comprehensive web page takeover, scientists stated. In a combo with the saved XSS bug, any logged-in person would be equipped to modify any released post and inject malicious JavaScript to it. A pairing with the other bug could in the meantime make it possible for any logged-in person to add most likely executable information and obtain distant code execution.
Foundation for Attack: A Re-Launched Entry Command Bug
The more mature obtain-handle bug (now tracked as CVE-2021-38345) was patched in June 2020, but reintroduced in variation 1..127 this yr. It’s a significant-severity issue that stems from a lack of correct authorization checks, in accordance to Wordfence, permitting attackers to modify posts.
Scientists mentioned that the plugin works by using a pair of administrator functions for a wide wide variety of authorization checks, and “any consumer that handed just one of these checks was assumed to be an administrator.” They included, “being logged in and accessing any endpoint in the wp-admin directory was ample to move this test.”
The upshot of this is that all logged-in buyers, these types of as subscribers to a newsletter, have been permitted to modify any put up or webpage that had been produced or edited with the Brizy editor, even if it had currently been revealed.
“While this vulnerability could possibly only be a nuisance on its own, enabling attackers to substitute the authentic contents of webpages, it enabled two supplemental vulnerabilities that could just about every be made use of to consider over a internet site,” according to Wordfence’s examination.
Authenticated Saved Cross-Internet site Scripting
The first adhere to-on bug is a medium-severity saved XSS issue (CVE-2021-38344), which allows attackers to inject destructive scripts into web webpages. Mainly because it is a stored XSS bug, alternatively than a mirrored one particular, victims need to have only stop by the infected site in buy to be attacked.
On its personal, the bug allows a lessen-privileged person (this sort of as a contributor or subscriber) to insert JavaScript to an update request, which would then be executed if the write-up ended up viewed or previewed by a further consumer, such as an administrator. It turns into perilous even so when mixed with the authorization bypass, researchers stated.
“Thanks to the authorization look at vulnerability, even the cheapest-privileged end users, this sort of as subscribers, could insert malicious JavaScript to any website page, letting them to consider over a web page,” the researchers mentioned. “JavaScript working in an administrator’s session could make it possible for an attacker to complete steps this kind of as adding a new administrative person, escalating the privileges of an present user, or incorporating backdoor performance to present plugin or concept data files.”
Authenticated File Upload and Route Traversal
The second new bug is a substantial-severity arbitrary file-add issue (CVE-2021-38346) that could make it possible for authenticated people to add files to a internet site. But again thanks to the authorization verify vulnerability, it will become achievable for subscriber-amount consumers to elevate their privileges, then add executable data files to a area of their selection making use of the brizy_produce_block_screenshot AJAX motion, according to Wordfence scientists.
Other kinds of attacks are also probable, they in accordance to the assessment.
“While the plugin appended .JPG to all uploaded filenames, a double extension attack was also possible,” they stated. “For occasion, a file named shell.php would be saved as shell.php.jpg, and would be executable on a quantity of widespread configurations, like Apache/modPHP with an AddHandler or unanchored SetHandler directive. An attacker could also prepend their filename with ../ to execute a directory traversal attack and area their file in an arbitrary location, which could potentially be employed to circumvent execution limits included by means of .htaccess.”
So, “by giving a file with a .PHP extension in the id parameter, and base64-encoded PHP code in the ibsf parameter, an attacker could correctly add an executable PHP file and attain complete remote code execution on a internet site, enabling web site takeover,” they additional.
End users can protect them selves by updating to the latest variation of the plugin, version 2.3.17.
XSS Plugin Plague
XSS vulnerabilities in WordPress plugins have been significantly from scarce so much in 2021. For instance, in August an authenticated stored XSS vulnerability was located in the SEOPress WordPress plugin, which is mounted on 100,000 web sites.
In July, a critical XSS bug was discovered to effect WordPress websites running the Frontend File Supervisor plugin. It allows remote unauthenticated buyers to inject JavaScript code into susceptible web-sites to build admin consumer accounts, and was just one particular of six critical flaws disclosed in that advisory.
In February, a stored XSS security bug was observed to potentially impact 50,000 Get hold of Sort 7 Model plugin people. The builders did not issue a patch, and WordPress removed the plugin from the WordPress plugin repository on Feb. 1.
And in January, researchers warned of yet yet another authenticated XSS vulnerability in a WordPress plugin named Orbit Fox that has 40,000 installs, that could let attackers to inject destructive code into vulnerable websites and/or get handle of a site.
Examine out our free upcoming live and on-demand from customers on the net town halls – one of a kind, dynamic conversations with cybersecurity authorities and the Threatpost community.
Some components of this post are sourced from:
threatpost.com