Severe CSRF to XSS bugs open the door to code execution and complete website compromise.
Page Builder by SiteOrigin, a WordPress plugin with a million active installs that’s used to build websites via a drag-and-drop function, harbors two flaws that can allow full site takeover.
According to researchers at WordPress, both security bugs can lead to cross-site request forgery (CSRF) and reflected cross-site scripting (XSS). They “allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser,” according to Wordfence researchers, in a Monday posting.
They assigned both flaws a severity rating of 8.8 out of 10, but no CVEs have yet been assigned.
Inside the Bugs
If exploited, both bugs could be used to redirect a site’s administrator, create a new administrative user account or inject a backdoor on a site.
The first issue lies in the built-in live editor within the plugin – this feature lets users update content and drag/drop widgets, while gaining a real-time view of the changes on the given website.
“In order to show the modifications in real time through the live editor, the plugin registers the is_live_editor() function to check if a user is in the live editor,” explained Wordfence researchers. “If the user is in the live editor, the siteorigin_panels_live_editor parameter will be set to ‘true’ and register that a user is accessing the live editor. The plugin will then attempt to include the live editor file which renders all of the content.”
This “live-editor-preview.php” rendering file thus updates the page preview with changes made, in real-time.
The problem is that there is no nonce protection to verify that an attempt to render content in the live editor came from a legitimate source, according to Wordfence.
The data associated with a live preview was never stored in the database, resulting in a reflected XSS flaw rather than stored XSS flaw, in conjunction with the CSRF flaw.
A second flaw is also a CRSF to XSS issue, this time in the action_builder_content function of the plugin, which is tied to the AJAX action wp_ajax_so_panels_builder_content.
“This function’s purpose was to transmit content submitted as panels_data from the live editor to the WordPress editor in order to update or publish the post using the content created from the live editor,” the researchers said. “This function did have a permissions check to verify that a user had the capability to edit posts for the given post_id. However, there was no nonce protection to verify the source of a request, causing the CSRF flaw.”
The bugs affect Page Builder by SiteOrigin version 2.10.15 and below; to avoid full site takeover, admins should upgrade their plugins to version 2.10.16.
It should also be noted that an attacker needs to trick a site administrator into executing an action, like clicking a link or an attachment, for the attack to succeed.
WordPress plugins continue to be plagued with vulnerabilities. Last month, it was revealed that legions of website visitors could be infected with drive-by malware, among other issues, thanks to a CSRF bug in Real-Time Search and Replace.
Also in April, a pair of security vulnerabilities (one of them critical) in the WordPress search engine optimization (SEO) plugin known as Rank Math, were found. They could allow remote cybercriminals to elevate privileges and install malicious redirects onto a target site, according to researchers. RankMath is a WordPress plugin with more than 200,000 installations.
In March, a critical vulnerability in a WordPress plugin known as “ThemeREX Addons” was found that could open the door for remote code execution in 44,000 websites.
Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.
Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.