Critical flaws in Orbit Fox WordPress plugin allows site takeover

Two vulnerabilities in the Orbit Fox WordPress plugin, a privilege-escalation issue and a stored XSS bug, can allow site takeover.

Security experts from Wordfence have discovered two security vulnerabilities in the Orbit Fox WordPress plugin. The flaws are a privilege-escalation vulnerability and a stored XSS bug that impacts over 40,000 installs.

The Orbit Fox plugin allows site administrators to add features such as registration forms and widgets, it has been installed by 400,000+ sites.

The plugin was developed by ThemeIsle, it is designed to enhance the Elementor, Beaver Builder, and Gutenberg editors and implements additional features 

Two vulnerabilities can be exploited by attackers to inject malicious code into websites using the vulnerable version of the plugin and take over them.

“One of these flaws made it possible for attackers with contributor level access or above to escalate their privileges to those of an administrator and potentially take over a WordPress site. The other flaw made it possible for attackers with contributor or author level access to inject potentially malicious JavaScript into posts.” reads the post published by Wordfence. “These types of malicious scripts can be used to redirect visitors to malvertising sites or create new administrative users, amongst many other actions.”

The authenticated privilege-escalation flaw has been rated as critical and has received a CVSS bug-severity score of 9.9. authenticated attackers with contributor level access or above can escalate privileges to administrator and potentially take over a website.

The authenticated stored cross-site scripting (XSS) issue allows attackers with contributor or author level access to inject JavaScript into posts. An attacker could exploit this flaw to conduct multiple malicious actions, such as malvertising attacks. The flaw rated as medium severity has received a CVSS score of 6.4.

Orbit Fox plugin includes a registration widget that can be used to create a registration form with customizable fields when using the Elementor and Beaver Builder page builder plugins. Upon creating the registration form, the plugin will provide the ability to set a default role to be used whenever a user registers using the form.

“Lower-level users like contributors, authors, and editors were not shown the option to set the default user role from the editor. However, we found that they could still modify the default user role by crafting a request with the appropriate parameter,” Wordfence continues. “The plugin provided client-side protection to prevent the role selector from being shown to lower-level users while adding a registration form. Unfortunately, there were no server-side protections or validation to verify that an authorized user was actually setting the default user role in a request.”

Experts pointed out that the lack of server-side validation in Orbit Fox allows lower-level users to set their role to that of an administrator upon successful registration.

“To exploit this flaw, user registration would need to be enabled and the site would need to be running the Elementor or Beaver Builder plugins,” continues Wordfence. “A site with user registration disabled or neither of these plugins installed would not be affected by this vulnerability.”

This vulnerability allowed lower-level users to add malicious JavaScript to posts that would execute in the browser whenever a user navigated to that page.

The two vulnerabilities have been addressed with the release of version 2.10.3.

Vulnerabilities in WordPress plugins are very dangerous and could allow attackers to carry out attacks on a large scale. On December, the development team behind the Contact Form 7 WordPress plugin discloses an unrestricted file upload vulnerability, the plugin has over 5 million active installs. The issue can exploit to upload a file that can be executed as a script file on the underlying server.

In November threat actors were observed actively exploiting a zero-day vulnerability in the popular Easy WP SMTP WordPress plugin installed on more than 500,000 sites.

In the same period hackers were actively exploiting a critical remote code execution vulnerability in the File Manager plugin, over 300,000 WordPress sites were potentially exposed at the time of the discovery.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Golang-based worm)

[adrotate banner=”5″]

[adrotate banner=”13″]