Pierluigi Paganini
May 12, 2020
Two high severity vulnerabilities found in the Page Builder WordPress can be exploited by attackers to create new admin accounts and deliver malicious code taking over the compromised websites.
The vulnerabilities are a Cross-Site Request Forgery (CSRF) leading to Reflected Cross-Site Scripting (XSS) attacks and they affect all Page Builder versions up to and including 2.10.15.
The vulnerabilities could be exploited by attackers tricking a site administrator into clicking a link or an attachment.
The Page Builder by SiteOrigin is the most popular page creation plugin for WordPress, it allows easily to create responsive column based content, using the widgets users know.
The plugin is actively installed on over one million websites.
The vulnerabilities have been discovered by experts from the Wordfence security firm.
“On Monday, May 4, 2020, the Wordfence Threat Intelligence team discovered two vulnerabilities present in Page Builder by SiteOrigin, a WordPress plugin actively installed on over 1,000,000 sites. Both of these flaws allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser.” reads the analysis published by the experts. “The attacker needs to trick a site administrator into executing an action, like clicking a link or an attachment, for the attack to succeed.”
The first flaw is a cross-site request forgery (CSRF) to reflected cross-site scripting (XSS) vulnerability that resides in the plugin’s live editor feature that allows to create and update post content, as well as drag and drop widgets.
Every change to the content is sent via a POST parameter, while checks were implemented in the post_metadata function to ensure a user accessing the live editor was allowed to edit posts, experts noticed that there was no nonce protection to verify that an attempt to render content was performed by an unauthorized source.
This means that some widgets including “Custom HTML” could be abused to inject malicious JavaScript into a rendered live page. An attacker could trick an administrator to view a specially-crafted live preview page containing a malicious widget leading to the CSRF / reflected XSS flaw.
Experts also discovered another cross-site request forgery problem in the action_builder_content function of the plugin, connected to the AJAX action wp_ajax_so_panels_builder_content.
“This function’s purpose was to transmit content submitted as panels_data from the live editor to the WordPress editor in order to update or publish the post using the content created from the live editor.”continues the analysis. “This function did have a permissions check to verify that a user had the capability to edit posts for the given post_id. However, there was no nonce protection to verify the source of a request, causing the CSRF flaw.”
The flaw could be triggered in the “text” widget injecting malicious JavaScript that is not properly filtered.
“As with the previously mentioned CSRF to reflected XSS vulnerability, this could ultimately be used to redirect a site’s administrator, create a new administrative user account, or, as seen in the recent attack campaign targeting XSS vulnerabilities, be used to inject a backdoor on a site,” continues the report.
Below the timeline for the vulnerability:
May 4, 2020 – Initial discovery and analysis of vulnerabilities. We verify the Wordfence built-in XSS firewall rule offers sufficient protection. Initial outreach to the plugin’s team.
May 4, 2020 – Plugin’s developer confirms appropriate channel and we provide full disclosure.
May 5, 2020 – Developer acknowledges vulnerabilities and advises that they should have a patch released later in the day.
May 5, 2020 – A sufficient patch is released.
The development team behind Page Builder addressed the issued with the release of v. 2.10.16. Currently, approximately 66.6% of all users have updated the plugin on their websites.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – Page Builder, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]
