Two Vulnerabilities found in Page Builder By SiteOrigin, a plugin actively installed on over 1,000,000 WordPress websites.
SiteOrigin Page Builder is the most popular page creation plugin for WordPress websites. It makes it easy to create responsive column based content, using the widgets you know and love, and your content will accurately adapt to all mobile devices, ensuring your site is mobile-ready.
The Wordfence Threat Intelligence team found Two vulnerabilities in Page Builder By SiteOrigin. Both of these flaws allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser. The attacker needs to trick a site administrator into executing an action, like clicking a link or an attachment, for the attack to succeed.
What Vulnerabilities Can Do?
As part of the vulnerability, some of the available widgets, such as the “Custom HTML” widget, could be used to inject malicious JavaScript into a rendered live page. If a site administrator was tricked into accessing a crafted live preview page, any malicious Javascript included as part of the “Custom HTML” widget could be executed in the browser. The data associated with a live preview was never stored in the database, resulting in a reflected XSS flaw rather than stored XSS flaw, in conjunction with the CSRF flaw.
The Wordfence security team found Cross-Site Request Forgery flaw in the action_builder_content function of the plugin. With this function, the “Custom HTML” widget did not create an XSS flaw in the same way as the previous vulnerability due to some sanitization features.
However, they discovered that the “Text” widget could be used to inject malicious JavaScript due to the ability to edit content in a ‘text’ mode rather than a ‘visual’ mode. This allowed potentially malicious JavaScript to be sent unfiltered. Due to the widget data being echoed, any malicious code that was a part of the text widgets data could then be executed as part of a combined CSRF to XSS attack in a victim’s browser.
This flaw could be used to redirect a site’s administrator, create a new administrative user account.
Disclosure Timeline
- May 4, 2020 – Initial discovery and analysis of vulnerabilities. We verify the Wordfence built-in XSS firewall rule offers sufficient protection. Initial outreach to the plugin’s team.
- May 4, 2020 – Plugin’s developer confirms appropriate channel and we provide full disclosure.
- May 5, 2020 – Developer acknowledges vulnerabilities and advises that they should have a patch released later in the day.
- May 5, 2020 – A sufficient patch is released.
Vulnerability Fixed – Update Now
If you are using Page Builder plugin then you need to update it now. Wordfence team are considered high-risk security issues that could lead to full site takeover and recommending an immediate update of Page Builder by SiteOrigin to the latest version available. At the time of writing, that is version 2.10.16.
