Vulnerabilities Patched in WP Page Builder
On February 15, 2021, the Wordfence Threat Intelligence team began the responsible disclosure process for several vulnerabilities in WP Page Builder, a plugin installed on over 10,000 sites. These vulnerabilities allowed any logged-in user, including subscribers, to access the page builder’s editor and make changes to existing posts on the site by default. Additionally, any logged-in user could add malicious JavaScript to any post, potentially resulting in site takeover.
We initially contacted Themeum, the plugin’s publisher, on February 15, 2021 and received a response that evening. We provided full disclosure the next day, on February 16, 2021. A patched version of the plugin was made available on March 17, 2021. In a laudable display of transparency, Themeum released a blog post the same day about the security issues fixed in the update.
Wordfence Premium users received a firewall rule protecting against these vulnerabilities on February 15, 2021. Sites still running the free version of Wordfence received the same protection 30 days later, on March 17, 2021.
Affected Plugin: WP Page Builder
Plugin Slug: wp-pagebuilder
Affected Versions: < 1.2.4
CVE ID: CVE-2021-24207
CVSS Score: 5.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Fully Patched Version: 1.2.4
WP Page Builder is a site designer that allows easy visual editing of posts and pages. One feature that it included was the ability to block specific roles from editing posts and pages.
Unfortunately, no roles were blocked by default, including subscriber-level roles. This meant that any user able to log into a site running WP Page Builder, including subscribers and customers, could access the visual editor simply by visiting the post editor’s URL for a given post or page and supplying wppb_editor
in the action
parameter. Once in the visual editor, these users could make and publish changes to existing posts and pages despite lacking the permissions normally required to do so.
Affected Plugin: WP Page Builder
Plugin Slug: wp-pagebuilder
Affected Versions: < 1.2.4
CVE ID: CVE-2021-24208
CVSS Score: 7.4 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Fully Patched Version: 1.2.4
While the ability of untrusted users to edit posts and pages would be a nuisance on its own, it was also possible for any logged-in user to add malicious JavaScript to any post or page via the visual editor. This could be done through both the “Raw HTML” widget and the “Custom HTML” widgets. JavaScript could be added directly to the “Raw HTML” widget via the User Interface. Adding JavaScript to the “Custom HTML” widget required sending a crafted request via the page_builder_data
parameter when performing the wppb_page_save
AJAX action, which is used by the plugin to save changes to a post. It was also possible to insert malicious JavaScript via the wppb_page_css
parameter when sending a crafted wppb_page_save
AJAX request.
As with any stored Cross-Site Scripting vulnerability, malicious JavaScript injected this way could be used to insert malicious administrators or add a backdoor if a logged-in administrator visited an affected page, leading to site takeover. The fact that any logged-in user, including customers and subscribers, could use this technique for privilege escalation significantly increases the risk of this vulnerability being exploited.
Timeline
February 15, 2021 – Wordfence Threat Intelligence finishes researching vulnerabilities in the WP Page Builder plugin. We release a firewall rule to our premium customers and initiate contact with Themeum, the plugin publisher.
February 16, 2021 – We provide full disclosure to Themeum.
March 17, 2021 – A patched version of the plugin is made available, and the firewall rule becomes available to free Wordfence users.
Conclusion
In today’s post, we covered 2 vulnerabilities in WP Page Builder that collectively allowed any logged-in user the ability to change site content and add malicious JavaScript to a site. We strongly recommend updating to the latest version available, which is 1.2.5 at the time of this writing.
Wordfence Premium users have been protected against these exploits since February 15, 2021. Sites still running the free version of Wordfence received the same protection on March 17, 2021.
If you know anyone using this plugin, please forward this advisory to them and encourage them to make sure they’ve updated to the latest version available, as this vulnerability has been public since the plugin was updated.
Special thanks to Themeum for their exemplary handling of these vulnerabilities.
This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.
Comments