According to researchers at WordPress, both security bugs can lead to cross-site request forgery (CSRF) and reflected cross-site scripting (XSS). They “allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser,” according to Wordfence researchers, in a Monday posting.
They assigned both flaws a severity rating of 8.8 out of 10, but no CVEs have yet been assigned.
If exploited, both bugs could be used to redirect a site’s administrator, create a new administrative user account or inject a backdoor on a site.
The first issue lies in the built-in live editor within the plugin – this feature lets users update content and drag/drop widgets while gaining a real-time view of the changes on the given website.
“In order to show the modifications in real-time through the live editor, the plugin registers the is_live_editor() function to check if a user is in the live editor,” explained Wordfence researchers. “If the user is in the live editor, the siteorigin_panels_live_editor parameter will be set to ‘true’ and register that a user is accessing the live editor. The plugin will then attempt to include the live editor file which renders all of the content.”
This “live-editor-preview.php” rendering file thus updates the page preview with changes made, in real-time.
The problem is that there is no nonce protection to verify that an attempt to render content in the live editor came from a legitimate source, according to Wordfence.
The data associated with a live preview was never stored in the database, resulting in a reflected XSS flaw rather than stored XSS flaw, in conjunction with the CSRF flaw.
A second flaw is also a CRSF to XSS issue, this time in the action_builder_content function of the plugin, which is tied to the AJAX action wp_ajax_so_panels_builder_content.
“This function’s purpose was to transmit content submitted as panels_data from the live editor to the WordPress editor in order to update or publish the post using the content created from the live editor,” the researchers said. “This function did have a permissions check to verify that a user had the capability to edit posts for the given post_id. However, there was no nonce protection to verify the source of a request, causing the CSRF flaw.”
This WordPress vulnerability affects the Page Builder by SiteOrigin version 2.10.15 and below; to avoid full site takeover, admins should upgrade their plugins to version 2.10.16.
It should also be noted that an attacker needs to trick a site administrator into executing an action, like clicking a link or an attachment, for the attack to succeed.
Wordfence thanked the developer "for an extremely prompt response and for releasing a patch very quickly."
The latest version of the plugin, v. 2.10.16, has resolved the issues. At the time of writing, 66.6% of all users have updated their builds. It is recommended that users make sure they are up-to-date.