Two vulnerabilities were reported in Page Builder by SiteOrigin, which is a very popular WordPress plugin installed on more than 1 million websites.
The security flaws are described as “Cross-Site Request Forgery to Reflected Cross-Site Scripting”. They could enable attackers to forge requests on behalf of the site admin to execute malicious code in the admin’s browser, say Wordfence Threat Intelligence team.
How can the Page Builder by SiteOrigin vulnerabilities be exploited?
In order to exploit the two vulnerabilities, an attacker would have to trick the site administrator to perform a specific action, such as clicking on a link or an attachment. The good news is that, after Wordfence contacted the plugin developer, a patch was quickly released.
Nonetheless, the vulnerabilities are considered high-risk as they can lead to a full site takeover, if remained unpatched. In order to avoid compromises, website admins are urged to patch the Page Builder plugin to the latest version, which currently is version 2.10.16.
More about Page Builder by SiteOrigin
This is a plugin designed to simplify page and post editing in WordPress. With it, users can create responsive, column-based content, with the help of widgets from WordPress and widgets from the SiteOrigin Widgets Bundle plugin.
In addition, the plugin also features a built-in live editor, which helps users update content and drag/drop widgets, and observe the changes in real time.
In conclusion, two high-risk security vulnerabilities were discovered in the Page Builder by SiteOrigin plugin that allowed attackers to forge requests on behalf of a site administrator. This could then lead to the execution of malicious code in the admin’s browser. Fortunately, the two flaws were addressed and patched in version Page Builder 2.10.16. The general recommendation is that users immediately update to the latest version of the plugin.
Full technical disclosure of the vulnerabilities is available.