The good news is that Softaculous, the PageLayer plugin’s developers, reacted quickly after the disclosure. A patch is now available, and users of the plugin should apply it immediately. The secure plugin version is PageLayer 1.3.5. If your website runs a specific firewall with built-in XSS protection, you won’t be affected by the issues.
Table of Contents [hide]
Details about the PageLayer plugin vulnerabilities
PageLayer is a drag-and-drop website builder. The two XSS flaws reside in its font-size parameter and color settings. The first vulnerability is rated 6.1 in terms of severity, which means medium danger.
The PageLayer plugin has a settings page, enabling site designers to select the default font and color that the page builder utilizes. These options are accepted via various $_POST parameters” “For example body[font-size] or h3[font-size] could be used to set the font size for body or h3 tags, and color[background] could be used to set the background color”,” Wordfence explains.
A particular function, pagelayer_website_settings, was used to modify these settings. It contained a capability check and a nonce so that only authorized requests could apply changes. However, if a request was submitted without the submit parameter, the change wouldn’t’t be saved, and the request would continue to the pagelayer_website_settings_T function.
What about the pagelayer_website_color function” “If an attacker could trick an administrator into clicking a link that submitted a POST request containing a color subparameter such as color[background] set to a malicious script, that script would be executed in the administrator browser”,” Wordfence added.
More technical details are available in the original report.