Written by Editorial Team on May 15, 2020

Vulnerability Found In SiteOrigin WordPress Page Builder Plugin

On May 12, 2020, a critical vulnerability was found in the famous WordPress page builder plugin, SiteOrigin. This vulnerability threatens over a million websites that are using SiteOrigin.

According to researchers at WordPress, both security bugs can lead to cross-site request forgery (CSRF) and reflected cross-site scripting (XSS). They “allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser,” according to Wordfence researchers, in a Monday posting.

They assigned both flaws a severity rating of 8.8 out of 10, but no CVEs have yet been assigned.

What Is This WordPress Vulnerability All About?

If exploited, both bugs could be used to redirect a site’s administrator, create a new administrative user account or inject a backdoor on a site.

The first issue lies in the built-in live editor within the plugin – this feature lets users update content and drag/drop widgets while gaining a real-time view of the changes on the given website.

“In order to show the modifications in real-time through the live editor, the plugin registers the is_live_editor() function to check if a user is in the live editor,” explained Wordfence researchers. “If the user is in the live editor, the siteorigin_panels_live_editor parameter will be set to ‘true’ and register that a user is accessing the live editor. The plugin will then attempt to include the live editor file which renders all of the content.”

SiteOrigin vulnerability and threat
SiteOrigin vulnerability threatens over 1 million website users

This “live-editor-preview.php” rendering file thus updates the page preview with changes made, in real-time.

The problem is that there is no nonce protection to verify that an attempt to render content in the live editor came from a legitimate source, according to Wordfence.

“Some of the available widgets, such as the ‘Custom HTML’ widget, could be used to inject malicious JavaScript into a rendered live page,” the researchers wrote. “If a site administrator was tricked into accessing a crafted live preview page, any malicious JavaScript included as part of the Custom HTML widget could be executed in the browser.”

The data associated with a live preview was never stored in the database, resulting in a reflected XSS flaw rather than stored XSS flaw, in conjunction with the CSRF flaw.

A second flaw is also a CRSF to XSS issue, this time in the action_builder_content function of the plugin, which is tied to the AJAX action wp_ajax_so_panels_builder_content.

“This function’s purpose was to transmit content submitted as panels_data from the live editor to the WordPress editor in order to update or publish the post using the content created from the live editor,” the researchers said. “This function did have a permissions check to verify that a user had the capability to edit posts for the given post_id. However, there was no nonce protection to verify the source of a request, causing the CSRF flaw.”

In testing exploits, the researchers found that the “Text” widget could be used to inject malicious JavaScript due to the ability to edit content in a “text” mode rather than a “visual” mode.

“This allowed potentially malicious JavaScript to be sent unfiltered,” according to Wordfence. “Due to the widget data being echoed, any malicious code that was a part of the text widgets data could then be executed as part of a combined CSRF to XSS attack in a victim’s browser.”

How To Know If Your WordPress Site Is Affected?

This WordPress vulnerability affects the Page Builder by SiteOrigin version 2.10.15 and below; to avoid full site takeover, admins should upgrade their plugins to version 2.10.16.

It should also be noted that an attacker needs to trick a site administrator into executing an action, like clicking a link or an attachment, for the attack to succeed.

Wordfence thanked the developer "for an extremely prompt response and for releasing a patch very quickly."

The latest version of the plugin, v. 2.10.16, has resolved the issues. At the time of writing, 66.6% of all users have updated their builds. It is recommended that users make sure they are up-to-date. 

Article written by Editorial Team

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts