Vulnerabilities Impacted Page Builder Over One Million Websites

WordPress plugin

The SiteOrigin WordPress plugin Page Builder was vulnerable to code execution attacks that exposed websites.

Created by Greg Priday, SiteOrigin’s Page Builder is a drag-and-drop development tool used to create content that’s ready for mobile use. The app is currently built on a million or more websites.

On May 4 the Wordfence Threat Intelligence team found out about the bugs. Both vulnerabilities in the plugin “enable attackers to forge requests on behalf of a website administrator and execute malicious code in the browser of the administrator,” according to researchers, although an administrator had to click on a malicious connection or attachment to initiate the chain of attack.

CVE numbers have yet to be allocated to the problems. Both are however deemed vital.

The first vulnerability, a cross-site request forgery (CSRF) to reflected vulnerability in cross-site scripting (XSS), was found in the live editor feature of the plugin.

The live editor is used to create and update content for posts, and to drag and drop widgets. Changes made to content are sent via a POST parameter, and checks are performed in metadata functions to ensure that users are able to edit posts. No provisions for nonce, however, were in effect.

As a result, some widgets may be used like “Custom HTML” to insert malicious JavaScript into a made live page. If an administrator accessed a crafted live preview page containing this compromised widget, this led to the CSRF / XSS reflected flaw.

The plugin’s action builder content function, which is connected to the AJAX action wp ajax so panels builder content, found an additional cross-site request forgery problem.

To update or publish articles, the function is used to transfer content submitted from the Live Editor to the standard WordPress editor. Although permission checks were developed to ensure users had the correct post I d permissions, there was no confirmation of where the request originated, leading to the CSRF problem.

This weakness differs as the XSS bug was triggered by input of JavaScript in the “text” widget, which is not filtered if material is edited in “text” rather than “visual” mode.

“As with the previously described XSS vulnerability reflected CSRF, this may potentially be used to redirect a site administrator, create a new administrative user account, or, as seen in the recent XSS vulnerability targeting attack campaign, use it to insert a backdoor on a site,” the team says.

On the same discovery day, May 4, the security bugs were revealed to the developer. Priday recognized the report and had a patch prepared and released within 24 hours.

Wordfence thanked the developer for “highly timely response and very fast release of a patch.” The most recent update of the plugin, v. 2.10.16, fixed the problems. 66.6 per cent of all users changed their builds at the time of publishing. Users are recommended to ensure they are up-to-date.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.