On This Page: [hide]
Security researchers uncovered two vulnerabilities in a WordPress plugin, this time affecting more than 200,000 websites. The PageLayer plugin contains two reflected XSS (cross-site scripting) flaws that could enable threat actors to execute malicious JavaScript code in an administrator’s browser. This malicious activity could lead to the takeover of the targeted WordPress site. The discovery comes from the Wordfence team.
The good news is that Softaculous, the PageLayer plugin’s developers, reacted quickly after the disclosure. A patch is now available, and users of the plugin should apply it immediately. The secure plugin version is PageLayer 1.3.5. If your website runs a specific firewall with built-in XSS protection, you won’t be affected by the issues.
Details about the PageLayer plugin vulnerabilities
First, let’s explain what XSS or cross-site scripting is. In layman’s terms, the definition applies to a security flaw that allows an attacker to inject client-side scripts (such as JavaScript) into a web page to access crucial information directly. Also, XSS can be exploited to impersonate a user or trick a user into revealing information that the attacker wants to possess. These attacks’ outcomes include hijacking user sessions, deface websites, or redirecting users to malicious websites.
PageLayer is a drag-and-drop website builder. The two XSS flaws reside in its font-size parameter and color settings. The first vulnerability is rated 6.1 in terms of severity, which means medium danger.
The PageLayer plugin has a settings page, enabling site designers to select the default font and color that the page builder utilizes. These options are accepted via various $_POST parameters” “For example body[font-size] or h3[font-size] could be used to set the font size for body or h3 tags, and color[background] could be used to set the background color”,” Wordfence explains.
A particular function, pagelayer_website_settings, was used to modify these settings. It contained a capability check and a nonce so that only authorized requests could apply changes. However, if a request was submitted without the submit parameter, the change wouldn’t’t be saved, and the request would continue to the pagelayer_website_settings_T function.
This function displayed forms on the settings page” “Unfortunately, this function also called two other functions that accepted user input in order to display settings, and this is where an attacker could inject malicious JavaScript that could lead to a takeover of a WordPress site”,” the researchers reported.
What about the pagelayer_website_color function” “If an attacker could trick an administrator into clicking a link that submitted a POST request containing a color subparameter such as color[background] set to a malicious script, that script would be executed in the administrator browser”,” Wordfence added.
More technical details are available in the original report.