On This Page: [hide]
Security researchers from Wordfence discovered that the Orbit Fox WordPress plugin contained two vulnerabilities. One of them could lead to privilege escalation (rated critical), and the other one is a stored XSS flaw (rated medium).
The Orbit Fox plugin has 40,000 installations, meaning that all these websites should check whether they are running the latest plugin version – 2.10.3.
Orbit Fox by ThemeIsle is a multi-featured plugin that works with Elementor, Beaver Builder, and Gutenberg. Its purpose is to allow site admins to add various features, like registration forms, widgets.
Orbit Fox Plugin Authenticated Privilege Escalation Vulnerability
The critical security flaw could lead to privilege escalation. The issue stems from its registration widget, which creates a registration form with customizable fields when using Elementor and Beaver Builder.
The plugin allows you to set a default role whenever a user registers through the form to carry out this functionality. Even though low-level contributors (contributors, authors, editors) weren’t given the option to set the default role from the editor, they could still modify it by crafting a specific request. Furthermore, the researchers discovered no server-side protections or validation to verify whether an authorized user was setting the default user role in a request.
According to the report:
The lack of server-side validation meant that a lower-level user with access to the page/post editor like contributors, authors, and editors could create a registration form and set the user role to that of an administrator upon successful registration. Once the registration form was created, the user could simply register a new user and that user would be granted administrator privileges even while still authenticated to the WordPress instance.
Attackers could exploit this vulnerability only with user registration enabled and Elementor or Beaver Builder plugins running.
Orbit Fox Plugin Authenticated Stored Cross Site Scripting Flaw
The vulnerability could allow contributors and authors to add scripts to posts. Furthermore, the bug enabled low-level users to add malicious JavaScript to WordPress posts to be executed in the user’s browser upon visiting the specific page.
“As always with XSS vulnerabilities, this would make it possible for attackers to create new administrative users, inject malicious redirects and backdoors, or alter other site content through the use of malicious JavaScript,” Wordfence noted.
In conclusion
The two vulnerabilities have been fully patched in Orbit Fox version 2.10.3. Plugin users immediately should update to the latest version to avoid any further issues. Full technical disclosure of the issues is available in the original report.