• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 

Microsoft issues emergency patches for SharePoint zero-days exploited in "ToolShell" attacks

 | 

SharePoint zero-day CVE-2025-53770 actively exploited in the wild

 | 

Singapore warns China-linked group UNC3886 targets its critical infrastructure

 | 

U.S. CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 54

 | 

Security Affairs newsletter Round 533 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Radiology Associates of Richmond data breach impacts 1.4 million people

 | 

Fortinet FortiWeb flaw CVE-2025-25257 exploited hours after PoC release

 | 

Authorities released free decryptor for Phobos and 8base ransomware

 | 

Anne Arundel Dermatology data breach impacts 1.9 million people

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Critical flaws in Orbit Fox WordPress plugin allows site takeover

Critical flaws in Orbit Fox WordPress plugin allows site takeover

Pierluigi Paganini January 17, 2021

Two vulnerabilities in the Orbit Fox WordPress plugin, a privilege-escalation issue and a stored XSS bug, can allow site takeover.

Security experts from Wordfence have discovered two security vulnerabilities in the Orbit Fox WordPress plugin. The flaws are a privilege-escalation vulnerability and a stored XSS bug that impacts over 40,000 installs.

The Orbit Fox plugin allows site administrators to add features such as registration forms and widgets, it has been installed by 400,000+ sites.

The plugin was developed by ThemeIsle, it is designed to enhance the Elementor, Beaver Builder, and Gutenberg editors and implements additional features 

Two vulnerabilities can be exploited by attackers to inject malicious code into websites using the vulnerable version of the plugin and take over them.

“One of these flaws made it possible for attackers with contributor level access or above to escalate their privileges to those of an administrator and potentially take over a WordPress site. The other flaw made it possible for attackers with contributor or author level access to inject potentially malicious JavaScript into posts.” reads the post published by Wordfence. “These types of malicious scripts can be used to redirect visitors to malvertising sites or create new administrative users, amongst many other actions.”

The authenticated privilege-escalation flaw has been rated as critical and has received a CVSS bug-severity score of 9.9. authenticated attackers with contributor level access or above can escalate privileges to administrator and potentially take over a website.

The authenticated stored cross-site scripting (XSS) issue allows attackers with contributor or author level access to inject JavaScript into posts. An attacker could exploit this flaw to conduct multiple malicious actions, such as malvertising attacks. The flaw rated as medium severity has received a CVSS score of 6.4.

Orbit Fox plugin includes a registration widget that can be used to create a registration form with customizable fields when using the Elementor and Beaver Builder page builder plugins. Upon creating the registration form, the plugin will provide the ability to set a default role to be used whenever a user registers using the form.

“Lower-level users like contributors, authors, and editors were not shown the option to set the default user role from the editor. However, we found that they could still modify the default user role by crafting a request with the appropriate parameter,” Wordfence continues. “The plugin provided client-side protection to prevent the role selector from being shown to lower-level users while adding a registration form. Unfortunately, there were no server-side protections or validation to verify that an authorized user was actually setting the default user role in a request.”

Experts pointed out that the lack of server-side validation in Orbit Fox allows lower-level users to set their role to that of an administrator upon successful registration.

“To exploit this flaw, user registration would need to be enabled and the site would need to be running the Elementor or Beaver Builder plugins,” continues Wordfence. “A site with user registration disabled or neither of these plugins installed would not be affected by this vulnerability.”

This vulnerability allowed lower-level users to add malicious JavaScript to posts that would execute in the browser whenever a user navigated to that page.

The two vulnerabilities have been addressed with the release of version 2.10.3.

Vulnerabilities in WordPress plugins are very dangerous and could allow attackers to carry out attacks on a large scale. On December, the development team behind the Contact Form 7 WordPress plugin discloses an unrestricted file upload vulnerability, the plugin has over 5 million active installs. The issue can exploit to upload a file that can be executed as a script file on the underlying server.

In November threat actors were observed actively exploiting a zero-day vulnerability in the popular Easy WP SMTP WordPress plugin installed on more than 500,000 sites.

In the same period hackers were actively exploiting a critical remote code execution vulnerability in the File Manager plugin, over 300,000 WordPress sites were potentially exposed at the time of the discovery.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Golang-based worm)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Hacking hacking news information security news IT Information Security malware Orbit Fox Pierluigi Paganini plugin Security Affairs Security News Wordpress

you might also like

Pierluigi Paganini July 23, 2025
U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini July 23, 2025
Sophos fixed two critical Sophos Firewall vulnerabilities
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

    Hacking / July 23, 2025

    Sophos fixed two critical Sophos Firewall vulnerabilities

    Security / July 23, 2025

    French Authorities confirm XSS.is admin arrested in Ukraine

    Cyber Crime / July 23, 2025

    Microsoft linked attacks on SharePoint flaws to China-nexus actors

    APT / July 23, 2025

    Cisco confirms active exploitation of ISE and ISE-PIC flaws

    Hacking / July 22, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT