Bugs in WordPress page builder plugin leave 1 million sites vulnerable to full takeover

Are you using WordPress? If you are and have installed SiteOrigin’s Page Builder plugin, your site could be vulnerable to full takeover by hackers.

To the uninitiated, Page Builder is a WordPress plugin created by SiteOrigin that is used to build websites using drag-and-drop functionality. It currently has a million active installations.

Researchers at Wordfence found two security bugs in the plugin that can lead to cross-site request forgery (CSRF) and reflected cross-site scripting (XSS). These two bugs allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser.

The bugs have been assigned with a severity rating of 8.8 out of 10 by the researchers, but no CVEs have yet been assigned.

The details of the flaws

The two flaws can be used by attackers to redirect a site’s administrator, create a new administrative user account or inject a backdoor on a site. The details of the flaws could be found in the link provided above.

The first flaw affect the built-in live editor within the plugin.

For the plugin to show the modifications done in the live editor in real time, it registers the is_live_editor() function to check if a user is in the live editor. If the user is in the live editor, the siteorigin_panels_live_editor parameter will be set to “true” and register that a user is accessing the live editor. The plugin will then attempt to include the live editor file which renders all of the content. Then, the “live-editor-preview.php” rendering file updates the page preview with changes made in real time.

This is all good but the problem lies in the lack of nonce protection. It is a method that could be used to verify that an attempt to render content in the live editor came from a legitimate source.

According to the researchers, some of the available WordPress widgets, such as the ‘Custom HTML’ widget, could be used to inject malicious Javascript into a rendered live page.

The second flaw is also a CRSF to XSS issue and it lies with the action_builder_content function of the plugin.

The purpose of the function was to transmit submitted content as panels_data from the live editor to the WordPress editor in order to update or publish the post using the content created from the live editor. Although the function did have a user permission check, there was no nonce protection to verify the request source, causing a CSRF flaw.

The researchers found that the “Text” widget could be used to inject malicious Javascript due to the ability to edit content in a “text” mode rather than a “visual” mode. With this, potentially malicious Javascript could be allowed to be sent unfiltered.

What should you do?

The flaws affect SiteOrigin’s Page Builder version 2.10.15 and below. In order to avoid full site takeover, admins should upgrade the plugin to version 2.10.16.

And it should be noted that an attacker needs to trick a site administrator into executing an action like click on a link or an attachment for the attack to succeed. Therefore, it is advisable not to click on any link or open any attachments that you are unsure of.