Bugs in WordPress page builder plugin leave 1 million sites vulnerable to full takeover

Are you using WordPress? If you are and have installed SiteOrigin’s Page Builder plugin, your site could be vulnerable to full takeover by hackers.

To the uninitiated, Page Builder is a WordPress plugin created by SiteOrigin that is used to build websites using drag-and-drop functionality. It currently has a million active installations.

Researchers at Wordfence found two security bugs in the plugin that can lead to cross-site request forgery (CSRF) and reflected cross-site scripting (XSS). These two bugs allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser.

The bugs have been assigned with a severity rating of 8.8 out of 10 by the researchers, but no CVEs have yet been assigned.

The details of the flaws

The two flaws can be used by attackers to redirect a site’s administrator, create a new administrative user account or inject a backdoor on a site. The details of the flaws could be found in the link provided above.

The first flaw affect the built-in live editor within the plugin.

For the plugin to show the modifications done in the live editor in real time, it registers the is_live_editor() function to check if a user is in the live editor. If the user is in the live editor, the siteorigin_panels_live_editor parameter will be set to “true” and register that a user is accessing the live editor. The plugin will then attempt to include the live editor file which renders all of the content. Then, the “live-editor-preview.php” rendering file updates the page preview with changes made in real time.

This is all good but the problem lies in the lack of nonce protection. It is a method that could be used to verify that an attempt to render content in the live editor came from a legitimate source.

According to the researchers, some of the available WordPress widgets, such as the ‘Custom HTML’ widget, could be used to inject malicious Javascript into a rendered live page.

The second flaw is also a CRSF to XSS issue and it lies with the action_builder_content function of the plugin.

The purpose of the function was to transmit submitted content as panels_data from the live editor to the WordPress editor in order to update or publish the post using the content created from the live editor. Although the function did have a user permission check, there was no nonce protection to verify the request source, causing a CSRF flaw.

The researchers found that the “Text” widget could be used to inject malicious Javascript due to the ability to edit content in a “text” mode rather than a “visual” mode. With this, potentially malicious Javascript could be allowed to be sent unfiltered.

What should you do?

The flaws affect SiteOrigin’s Page Builder version 2.10.15 and below. In order to avoid full site takeover, admins should upgrade the plugin to version 2.10.16.

And it should be noted that an attacker needs to trick a site administrator into executing an action like click on a link or an attachment for the attack to succeed. Therefore, it is advisable not to click on any link or open any attachments that you are unsure of.

What is the difference between Authentication and Authorisation?

If you have been working as a member of the tech community (System Administrator, Software Engineer, etc.), you might have heard of the terms Authentication and Authorisation. Even though they are often used together when the security of a computer system or application is involved, they are two completely different security processes.

What is Authentication?

Authentication in the security context refers to the act or process that validates if a user of a software, computer or system is who they claim to be. The most common way to do this via the use of a password. If the user enters the correct password, the system assumes the identity is valid and allows access.

The use of password-based authentication is also known as single-factor authentication.

However, it is no longer sufficient to rely on password alone to validate a user’s identity in recent times. Improvements in computer performance have led to the reduction in the time needed to brute force a password (or in layman terms, trying out every combination of letters, numbers and symbols) and gain access into a system. Furthermore, it is human nature to use something short and/or familiar such as birthdays, social security numbers, national identity numbers and names as passwords.

In order to increase the level of security of a system, multi-factor authentication is becoming a norm and highly recommended for systems that process sensitive information.

Two-factor authentication is one of the more common multi-factor authentication scheme employed by companies such as Apple, Google and Microsoft. Under this scheme, the following two factors are commonly used for authentication:

  1. Something that you know (e.g. password)
  2. Something you own (e.g. smart card, smart phone)

This is based on the premise that even if some malicious actors manage to get a hold of a password to a system, they remain unable to log into a system because they do not have access to a registered hardware such as a smart card, security token or smart phone to further prove they are a valid user.

What is Authorisation?

Authorisation takes place after the user has verified their identity. It refers to the act or process that verifies if the authenticated user has the rights or permission to access or use a particular resource. In this context, a resource can refer to a file, a folder, a particular room within a building or an area.

The most common implementation of authorisation is role-based access control (RBAC). It is based on the premise that different users have different roles to play in a given organisation. Their roles ultimately determine the type of information they can access and the amount of responsibility they have.

However, RBAC may not be fine-grain enough to control access to specific resources—a role typically comes with a set of permissions. This is where attribute-based access control (ABAC) comes into the picture. In addition to using the roles and groups a user belongs in to determine the access, additional attributes such as a user’s citizenship, the action performed or the time at which the access is requested can be used to control access.

Conclusion

Both authentication and authorisation are fundamentals of system/information security. Without them or when they are implemented poorly, malicious actors could gain access to the system and extract sensitive information such as personal information and company secrets easily. Then, these actors could use what they acquired to mount further attacks that could include identity fraud or helping the competitors of a business to gain an edge. Even if the attacks do not come from outside the organisation, employees within could accidentally or intentionally access or change information that they are not permitted to.